You are not logged in.

#1 2022-11-03 20:52:29

BS86
Member
Registered: 2022-11-03
Posts: 33

Openvpn connection fails after openssl 3 update

After applying the update set with the openssl 3 rebuilds, I can no longer connect to work using openVPN (from KDE Plasma's Networks Systray Icon)
The interface tells me that the connection timeouts, but with the following errors being written into journal:

nm-openvpn[14025]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
nm-openvpn[14025]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
nm-openvpn[14025]: OpenSSL: error:0308010C:digital envelope routines::unsupported
nm-openvpn[14025]: OpenSSL: error:11800071:PKCS12 routines::mac verify failure
nm-openvpn[14025]: Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
nm-openvpn[14025]: SIGUSR1[soft,private-key-password-failure] received, process restarting
nm-openvpn[14025]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
nm-openvpn[14025]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
nm-openvpn[14025]: OpenSSL: error:0308010C:digital envelope routines::unsupported
nm-openvpn[14025]: OpenSSL: error:11800071:PKCS12 routines::mac verify failure
nm-openvpn[14025]: Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
nm-openvpn[14025]: SIGUSR1[soft,private-key-password-failure] received, process restarting

Switching to stable and downgrading solves the issue for the moment. Any chance this can get solved in the packages or do I have to get my work to create better encrypted certificates for me?
The config file includes the option mentioned in the link in the WARNING: remote-cert-tls server

Offline

#2 2022-11-03 22:08:06

loqs
Member
Registered: 2014-03-06
Posts: 18,032

Re: Openvpn connection fails after openssl 3 update

Have you tried enabling the legacy provider in /etc/ssl/openssl.cnf?

[openssl_init]
providers = provider_sect

# List of providers to load
[provider_sect]
default = default_sect
legacy = legacy_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect

# If no providers are activated explicitly, the default one is activated implicitly.
# See man 7 OSSL_PROVIDER-default for more details.
#
# If you add a section explicitly activating any other provider(s), you most
# probably need to explicitly activate the default provider, otherwise it
# becomes unavailable in openssl.  As a consequence applications depending on
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
[default_sect]
activate = 1

[legacy_sect]
activate = 1

Last edited by loqs (2022-11-03 22:08:31)

Offline

#3 2022-11-03 22:14:44

BS86
Member
Registered: 2022-11-03
Posts: 33

Re: Openvpn connection fails after openssl 3 update

Thanks, but did not change the problem, same message still shown in journal (I rebooted after changing that config)

Offline

#4 2022-11-03 22:19:27

loqs
Member
Registered: 2014-03-06
Posts: 18,032

Re: Openvpn connection fails after openssl 3 update

Do you know what auth and cipher the VPN connection uses?
Edit:
Also have a look at https://ask.fedoraproject.org/t/openssl … a-36/21123

Last edited by loqs (2022-11-03 22:33:32)

Offline

#5 2022-11-03 22:42:53

BS86
Member
Registered: 2022-11-03
Posts: 33

Re: Openvpn connection fails after openssl 3 update

loqs wrote:

Do you know what auth and cipher the VPN connection uses?
Edit:
Also have a look at https://ask.fedoraproject.org/t/openssl … a-36/21123

The info is also in the config - file, so I know it. But your link was helpful, basically your first post already contained the solution, but I missed one line in your first suggestion, I didn't see that one has to add

legacy = legacy_sect

to the [provider_sect]

The VPN connection started working as soon as I edited that into the file. No reboot required.

Last edited by BS86 (2022-11-03 22:44:49)

Offline

#6 2022-11-04 05:16:05

javum
Member
Registered: 2009-07-31
Posts: 21

Re: Openvpn connection fails after openssl 3 update

loqs wrote:

Have you tried enabling the legacy provider in /etc/ssl/openssl.cnf?

Thanks, this solved same problem after update.

Offline

#7 2022-11-12 14:44:41

jaeckel
Member
Registered: 2022-11-12
Posts: 1

Re: Openvpn connection fails after openssl 3 update

A better approach would be to re-encrypt your keyfile with a non-legacy algorithm.

$ cd path/to/the/pfx-file
$ mv mykeys.pfx mykeys.pfx.bak
$ openssl pkcs12 -in mykeys.pfx.bak -out mykeys.pfx -aes256 -legacy

Note: It's possible that your keyfile has a .p12 extension, that's an alternative valid file extension to .pfx.

The 'openssl' command will ask you first for your old passphrase to do the import and then twice for the new passphrase. If you re-use the old passphrase you don't even have to change your OpenVPN configuration.

Changing the global OpenSSL configuration to allow legacy algorithms is a potential security issue which should be avoided.

Last edited by jaeckel (2022-11-12 14:46:38)

Offline

#8 2023-03-16 23:56:04

ddelpino
Member
Registered: 2011-03-07
Posts: 22

Re: Openvpn connection fails after openssl 3 update

Thanks very much!

I edited /etc/ssl/openssl.cnf file and resolved my problem.

But, I don't understand, this is a bug or is a permanent change? will be possible to use no password TLS key files in the future?

I have hundreds of clients with this configurations from PFSense.

Offline

Board footer

Powered by FluxBB