Difference between revisions of "openvpn OpenSSL error digital envelope routines unsupported"
(Created page with "==versions== O.S. = Debian GNU/Linux 12 (bookworm) openssl = 3.0.11 openvpn = 2.5.0 ==problem description== unable to connect to a VERY old openvpn server. old tls 1.0 has a...") |
(→versions) |
||
| (8 intermediate revisions by one user not shown) | |||
| Line 1: | Line 1: | ||
==versions== | ==versions== | ||
O.S. = Debian GNU/Linux 12 (bookworm) | O.S. = Debian GNU/Linux 12 (bookworm) | ||
| − | openssl = 3.0.11 | + | <br>openssl = 3.0.11 |
| − | openvpn = 2.5.0 | + | <br>openvpn = 2.5.0 & 2.5.8 solution tested successfully |
| + | <br> openvpn 2.6.3 solution test failed | ||
==problem description== | ==problem description== | ||
| Line 37: | Line 38: | ||
uncomment/add the following lines in the provider section of /etc/ssl/openssl.cnf | uncomment/add the following lines in the provider section of /etc/ssl/openssl.cnf | ||
| − | [provider_sect] | + | [provider_sect] |
| − | + | default = default_sect | |
| − | + | legacy = legacy_sect | |
| − | + | <br>[default_sect] | |
| − | <br>[default_sect] | + | activate = 1 |
| − | + | <br>[legacy_sect] | |
| − | + | activate = 1 | |
| − | <br>[legacy_sect] | + | |
| − | + | ||
| − | + | ||
verify the above lines are working correctly. nothing needs to be "restarted". | verify the above lines are working correctly. nothing needs to be "restarted". | ||
| − | $ openssl list -providers | + | $ '''openssl list -providers''' |
Providers: | Providers: | ||
default | default | ||
| Line 60: | Line 59: | ||
status: active | status: active | ||
| + | retry vpn connection. | ||
| + | |||
| + | |||
| + | |||
| + | ==links== | ||
| + | [https://myrtana.sk/articles/howto-activate-legacy-provider-in-openssl-3 HOWTO ACTIVATE LEGACY PROVIDER IN OPENSSL 3 (FOR MD4 AND OTHERS)] | ||
[[category:openvpn]] | [[category:openvpn]] | ||
[[category:openssl]] | [[category:openssl]] | ||
Latest revision as of 13:59, 1 April 2024
Contents |
versions
O.S. = Debian GNU/Linux 12 (bookworm)
openssl = 3.0.11
openvpn = 2.5.0 & 2.5.8 solution tested successfully
openvpn 2.6.3 solution test failed
problem description
unable to connect to a VERY old openvpn server.
old tls 1.0 has already be "enabled" in /etc/ssl/openssl.cnf by adding line...
MinProtocol = TLSv1.0
errors
client openvpn messages...
2024-03-28 22:49:56 Using peer cipher 'BF-CBC' 2024-03-28 22:49:56 OpenSSL: error:0308010C:digital envelope routines::unsupported 2024-03-28 22:49:56 EVP cipher init #1 2024-03-28 22:49:56 Exiting due to fatal error
root cause
the bf-cbc cipher is available via the openssl legacy provider only, but it is not loaded.
verifying bf-cbc is in the supported ciphers of current openssl
$ openssl enc -ciphers | grep -i bf-cbc -bf -bf-cbc -bf-cfb
list loaded openssl providers
$ openssl list -providers Providers: default name: OpenSSL Default Provider version: 3.0.11 status: active
solution
enable the legacy openssl provider
uncomment/add the following lines in the provider section of /etc/ssl/openssl.cnf
[provider_sect] default = default_sect legacy = legacy_sect
[default_sect] activate = 1
[legacy_sect] activate = 1
verify the above lines are working correctly. nothing needs to be "restarted".
$ openssl list -providers Providers: default name: OpenSSL Default Provider version: 3.0.11 status: active legacy name: OpenSSL Legacy Provider version: 3.0.11 status: active
retry vpn connection.
links
HOWTO ACTIVATE LEGACY PROVIDER IN OPENSSL 3 (FOR MD4 AND OTHERS)
