Security warnings using OpenVPN for Android with pfSense

kesawi

I'm currently using OpenVPN for Android 0.7.29 with pfSense 2.5.2 and find that it's generating security warnings when connecting to my pfSense firewall.

The warning I receive is:

Profile uses BF-CBC which depends on Open SSL legacy provider (not enabled)

I've set OpenVPN to auto negotiate data ciphers AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305, with AES-256-GCM as the fallback cipher and haven't enabled BF-CBC anywhere.

My OVPN file generated by the client export utility is:

persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
data-ciphers-fallback AES-256-GCM
auth SHA256
tls-client
client
remote vpn.mydomain.net 1194 udp
lport 0
verify-x509-name "External Firewall" name
auth-user-pass
remote-cert-tls server
explicit-exit-notify

<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>

I notice similar warnings for some other external profiles from other providers.

Gertjan

@kesawi
I understand your question ....
Is this a server or client message ?

Maybe some OpenVPN client 'humor' :
I rephrase :

Profile uses BF-CBC which is not enabled

BF-CBC isn't referenced in your opvn config (profile).

If the client software is based on 2.4.x, then "BF-CBC" was a default cipher method.

The current pfSense (25.5.2 CE or comparable) uses OpenVPN 2.5.x not the 2.4.x series.