Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem connecting Tunnelblick 4.0.0 (latest stable) to pfSense 2.7.1 due to OpenSSL Version (solved)

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 1 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bamypamy
      last edited by bamypamy

      Hey, I just updated my Tunnelblick to the latest stable Version 4.0.0, and since I cannot connect to our OpenVPN running on a pfSense 2.7.1 anymore.
      When I click on connect it asks for a passphrase. In the logs, it shows this

      2024-03-12 10:20:01.814019 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
      2024-03-12 10:20:01.814045 OpenSSL: error:11800071:PKCS12 routines::mac verify failure:
      

      I saw that Tunnelblick 4 uses OpenSSL 3 as a default.
      After changing it back to OpenSSL 1.1.1w in the Tunnelbkick settings for the VPN it started to work again.

      Here it says that OpenSSL 3 is introduced with 2.7.1, which I have installed.
      https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#rn-2-7-1-openssl

      This is the OpenSSL version installed on the pfSense.

      OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
      

      Why does my VPN keep failing then?
      I couldn't find any setting to choose which OpenSSL Version the VPN should use.

      Any idea how to solve this without having to tell every User to change its settings?
      I would also like to use OpenSSL 3 instead of 1.1.1 since it is EOL.

      B 1 Reply Last reply Reply Quote 0
      • B
        bamypamy @bamypamy
        last edited by bamypamy

        I found the problem.
        It is the pkcs12 cipher that was used to encrypt the file.
        It was encrypted with a cipher that is now considered weak.
        After exporting an inline config it works with OpenSSL 3 set in Tunnelblick.

        This pointed me in the right direction.
        https://forum.netgate.com/topic/177436/new-openvpn-client-2-6-0-deprecates-openssl-1-1-1-openssl-error-error-0308010c-digital-envelope-routines-unsupported/14

        1 Reply Last reply Reply Quote 0
        • B
          bamypamy
          last edited by

          I just also found it on the Tunnelblick website.
          https://tunnelblick.net/cTunnelblick4.html

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.