I edited /etc/ssl/openssl.cnf file and resolved my problem.
But, I don't understand, this is a bug or is a permanent change? will be possible to use no password TLS key files in the future?
I have hundreds of clients with this configurations from PFSense.
]]>$ cd path/to/the/pfx-file
$ mv mykeys.pfx mykeys.pfx.bak
$ openssl pkcs12 -in mykeys.pfx.bak -out mykeys.pfx -aes256 -legacy
Note: It's possible that your keyfile has a .p12 extension, that's an alternative valid file extension to .pfx.
The 'openssl' command will ask you first for your old passphrase to do the import and then twice for the new passphrase. If you re-use the old passphrase you don't even have to change your OpenVPN configuration.
Changing the global OpenSSL configuration to allow legacy algorithms is a potential security issue which should be avoided.
]]>Have you tried enabling the legacy provider in /etc/ssl/openssl.cnf?
Thanks, this solved same problem after update.
]]>Do you know what auth and cipher the VPN connection uses?
Edit:
Also have a look at https://ask.fedoraproject.org/t/openssl … a-36/21123
The info is also in the config - file, so I know it. But your link was helpful, basically your first post already contained the solution, but I missed one line in your first suggestion, I didn't see that one has to add
legacy = legacy_sect
to the [provider_sect]
The VPN connection started working as soon as I edited that into the file. No reboot required.
]]>[openssl_init]
providers = provider_sect
# List of providers to load
[provider_sect]
default = default_sect
legacy = legacy_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect
# If no providers are activated explicitly, the default one is activated implicitly.
# See man 7 OSSL_PROVIDER-default for more details.
#
# If you add a section explicitly activating any other provider(s), you most
# probably need to explicitly activate the default provider, otherwise it
# becomes unavailable in openssl. As a consequence applications depending on
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
[default_sect]
activate = 1
[legacy_sect]
activate = 1
nm-openvpn[14025]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
nm-openvpn[14025]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
nm-openvpn[14025]: OpenSSL: error:0308010C:digital envelope routines::unsupported
nm-openvpn[14025]: OpenSSL: error:11800071:PKCS12 routines::mac verify failure
nm-openvpn[14025]: Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
nm-openvpn[14025]: SIGUSR1[soft,private-key-password-failure] received, process restarting
nm-openvpn[14025]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
nm-openvpn[14025]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
nm-openvpn[14025]: OpenSSL: error:0308010C:digital envelope routines::unsupported
nm-openvpn[14025]: OpenSSL: error:11800071:PKCS12 routines::mac verify failure
nm-openvpn[14025]: Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
nm-openvpn[14025]: SIGUSR1[soft,private-key-password-failure] received, process restarting
Switching to stable and downgrading solves the issue for the moment. Any chance this can get solved in the packages or do I have to get my work to create better encrypted certificates for me?
The config file includes the option mentioned in the link in the WARNING: remote-cert-tls server