Difference between revisions of "openvpn OpenSSL error digital envelope routines unsupported"
(→solution) |
(→solution) |
||
| Line 40: | Line 40: | ||
default = default_sect | default = default_sect | ||
legacy = legacy_sect | legacy = legacy_sect | ||
| − | <br> | + | <br>[default_sect] |
| − | + | ||
activate = 1 | activate = 1 | ||
| − | <br> | + | <br>[legacy_sect] |
| − | + | ||
activate = 1 | activate = 1 | ||
Revision as of 04:41, 29 March 2024
Contents |
versions
O.S. = Debian GNU/Linux 12 (bookworm)
openssl = 3.0.11
openvpn = 2.5.0
problem description
unable to connect to a VERY old openvpn server.
old tls 1.0 has already be "enabled" in /etc/ssl/openssl.cnf by adding line...
MinProtocol = TLSv1.0
errors
client openvpn messages...
2024-03-28 22:49:56 Using peer cipher 'BF-CBC' 2024-03-28 22:49:56 OpenSSL: error:0308010C:digital envelope routines::unsupported 2024-03-28 22:49:56 EVP cipher init #1 2024-03-28 22:49:56 Exiting due to fatal error
root cause
the bf-cbc cipher is available via the openssl legacy provider only, but it is not loaded.
verifying bf-cbc is in the supported ciphers of current openssl
$ openssl enc -ciphers | grep -i bf-cbc -bf -bf-cbc -bf-cfb
list loaded openssl providers
$ openssl list -providers Providers: default name: OpenSSL Default Provider version: 3.0.11 status: active
solution
enable the legacy openssl provider
uncomment/add the following lines in the provider section of /etc/ssl/openssl.cnf
[provider_sect] default = default_sect legacy = legacy_sect
[default_sect] activate = 1
[legacy_sect] activate = 1
verify the above lines are working correctly. nothing needs to be "restarted".
$ openssl list -providers Providers: default name: OpenSSL Default Provider version: 3.0.11 status: active legacy name: OpenSSL Legacy Provider version: 3.0.11 status: active
retry vpn connection.
NOTE... at some verion of openvpn it seems to have dropped the ablity to use bf-cbc at all. this solution was tested with openvpn 2.5.0 which was compiled from source. it didn't work with openvpn 2.6.3.
