Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New OpenVPN Client 2.6.0 deprecates OpenSSL 1.1.1 - OpenSSL error error:0308010C:digital envelope routines::unsupported

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 3 Posters 11.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      IT_Luke
      last edited by

      As per topic, if you download the newly released OpenSSL 2.6.0, the OpenVPN client will no longer be able to decypher the generated certificates due to dropping of the old OpenSSL 1 in favor of the new OpenSSL 3. The last compatible version working with pfSense (2.6.0) is OpenSSL 2.5.8 so until the pfSense OpenVPN server side gets updated you will need to stick to OpenSSL client v2.5.8.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        How did you generate the certificates? They should work fine so long as you didn't use old/insecure properties like MD5 or SHA1 which hasn't been recommended for quite some time.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        I 1 Reply Last reply Reply Quote 0
        • I
          IT_Luke @jimp
          last edited by

          @jimp the default values (SHA256, RSA key type length 2048)

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            That would still work, unless some part of the chain (CA maybe?) used SHA1 or MD5. They didn't deprecate SHA256.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            I 1 Reply Last reply Reply Quote 0
            • I
              IT_Luke @jimp
              last edited by IT_Luke

              @jimp Exporting the cert in .p12 format and running

              openssl pkcs12 -in mycert.p12 -info -nokeys -nocerts

              yields

              Enter Import Password:
              MAC: sha1, Iteration 1
              MAC length: 20, salt length: 8
              PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
              Error outputting keys and certificates
              406728619A7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

              which coincides with the unrecognized (dropped) crypto version.

              P.S. I just created & exported a new certificate to verify.
              P.P.S the CA is also of course SHA 256

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                That's a much different problem than OpenVPN not connecting or using the generated certificates.

                The PKCS#12 container problem is known and fixed in the repo for exporting from base:

                https://redmine.pfsense.org/issues/13257

                We still need to update the export package:

                https://redmine.pfsense.org/issues/13255

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  The problem is we can't change it unilaterally because some things like macOS won't read PKCS#12 with the higher encryption options while OpenSSL 3 requires them. We "solved" that in base by giving the user a choice, which will have to be replicated in the export package yet.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  I 1 Reply Last reply Reply Quote 0
                  • I
                    IT_Luke @jimp
                    last edited by

                    @jimp ok - I understand the .p12 export problem (I have encountered it in the past with Windows machines exporting them), but the error persists and is identical when the OpenVPN client attempts to decrypt the cert before connecting (just after you insert your password). So for the time being it is my understanding that for universal compatibility issues we best stick to OpenVPN ve 2.5.8 - correct?

                    jimpJ 1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate @IT_Luke
                      last edited by

                      @it_luke said in New OpenVPN Client 2.6.0 deprecates OpenSSL 1.1.1 - OpenSSL error error:0308010C:digital envelope routines::unsupported:

                      @jimp ok - I understand the .p12 export problem (I have encountered it in the past with Windows machines exporting them), but the error persists and is identical when the OpenVPN client attempts to decrypt the cert before connecting (just after you insert your password). So for the time being it is my understanding that for universal compatibility issues we best stick to OpenVPN ve 2.5.8 - correct?

                      It depends on what you need there.

                      If you are exporting PKCS#12 bundles from the GUI directly (NOT the export package) you can install the System Patches package and then create and apply entries for 9efec2778cd9a6379716fc32891614f1d4551cf4 then a7e50981ec30d5844d59b5fa7c324fb89d415d42 to update the GUI for the new PKCS#12 options. You have to fetch/apply the first patch before the second will apply.

                      If you are using the export package, then use one of the inline export methods, not one that relies on .p12 files.

                      We are still working on the best plan for integrating OpenVPN 2.6.0 into the export package, but it looks like we'll need to keep around the installers for 2.5.x and 2.4.x for a bit yet as well as changing the .p12 export options in there. It may be a while before we get all of that done.

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 4
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        I created https://redmine.pfsense.org/issues/13917 to track the integration of OpenVPN 2.6.0 into the export package.

                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 3
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          As a quick test I confirmed that an older export does fail with OpenVPN 2.6.0 but I exported a .p12 from a snapshot using the cert manager set to 'high', without a password, and dropped that into the OpenVPN config folder with the right name and that worked.

                          So that's another option, but it's a bit cumbersome.

                          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • B
                            Blaumeise
                            last edited by

                            I got the same problem in Windows 10 with version 2.6.8 โ€ฆ:

                            2023-11-22 14:39:39 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
                            2023-11-22 14:39:39 OpenSSL: error:11800071:PKCS12 routines::mac verify failure:
                            2023-11-22 14:39:39 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption

                            My fast workaround was to use a previous openvpn version, namely version OpenVPN-2.5.7-I602-amd64.msi which worked for me.
                            I know the less security, but it is an internal system..
                            For download: Here is a link of history versions:
                            https://build.openvpn.net/downloads/releases/

                            I 1 Reply Last reply Reply Quote 0
                            • I
                              IT_Luke @Blaumeise
                              last edited by

                              @Blaumeise have you tried using the inline config file instead of the seperate certs? That should work without issues.

                              1 Reply Last reply Reply Quote 1
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                It shouldn't be a problem either way if you use a current version of pfSense with the current version of the export package. It properly sets the encryption on the PKCS#12 archive to be "high" by default which is compatible with OpenSSL 3.x. If you need to export for macOS/iOS (which don't support "high" level encryption on PKCS#12) you can set it to "low" which uses an older algorithm that is supported by both OpenSSL 3.x and macOS/iOS.

                                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • B bamypamy referenced this topic on
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.