• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

New OpenVPN Client 2.6.0 deprecates OpenSSL 1.1.1 - OpenSSL error error:0308010C:digital envelope routines::unsupported

Scheduled Pinned Locked Moved OpenVPN
14 Posts 3 Posters 11.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • I
    IT_Luke @jimp
    last edited by IT_Luke Jan 30, 2023, 3:31 PM Jan 30, 2023, 3:30 PM

    @jimp Exporting the cert in .p12 format and running

    openssl pkcs12 -in mycert.p12 -info -nokeys -nocerts

    yields

    Enter Import Password:
    MAC: sha1, Iteration 1
    MAC length: 20, salt length: 8
    PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
    Error outputting keys and certificates
    406728619A7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

    which coincides with the unrecognized (dropped) crypto version.

    P.S. I just created & exported a new certificate to verify.
    P.P.S the CA is also of course SHA 256

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Jan 30, 2023, 3:33 PM

      That's a much different problem than OpenVPN not connecting or using the generated certificates.

      The PKCS#12 container problem is known and fixed in the repo for exporting from base:

      https://redmine.pfsense.org/issues/13257

      We still need to update the export package:

      https://redmine.pfsense.org/issues/13255

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • J
        jimp Rebel Alliance Developer Netgate
        last edited by Jan 30, 2023, 3:34 PM

        The problem is we can't change it unilaterally because some things like macOS won't read PKCS#12 with the higher encryption options while OpenSSL 3 requires them. We "solved" that in base by giving the user a choice, which will have to be replicated in the export package yet.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        I 1 Reply Last reply Jan 30, 2023, 3:41 PM Reply Quote 0
        • I
          IT_Luke @jimp
          last edited by Jan 30, 2023, 3:41 PM

          @jimp ok - I understand the .p12 export problem (I have encountered it in the past with Windows machines exporting them), but the error persists and is identical when the OpenVPN client attempts to decrypt the cert before connecting (just after you insert your password). So for the time being it is my understanding that for universal compatibility issues we best stick to OpenVPN ve 2.5.8 - correct?

          J 1 Reply Last reply Jan 30, 2023, 3:52 PM Reply Quote 0
          • J
            jimp Rebel Alliance Developer Netgate @IT_Luke
            last edited by Jan 30, 2023, 3:52 PM

            @it_luke said in New OpenVPN Client 2.6.0 deprecates OpenSSL 1.1.1 - OpenSSL error error:0308010C:digital envelope routines::unsupported:

            @jimp ok - I understand the .p12 export problem (I have encountered it in the past with Windows machines exporting them), but the error persists and is identical when the OpenVPN client attempts to decrypt the cert before connecting (just after you insert your password). So for the time being it is my understanding that for universal compatibility issues we best stick to OpenVPN ve 2.5.8 - correct?

            It depends on what you need there.

            If you are exporting PKCS#12 bundles from the GUI directly (NOT the export package) you can install the System Patches package and then create and apply entries for 9efec2778cd9a6379716fc32891614f1d4551cf4 then a7e50981ec30d5844d59b5fa7c324fb89d415d42 to update the GUI for the new PKCS#12 options. You have to fetch/apply the first patch before the second will apply.

            If you are using the export package, then use one of the inline export methods, not one that relies on .p12 files.

            We are still working on the best plan for integrating OpenVPN 2.6.0 into the export package, but it looks like we'll need to keep around the installers for 2.5.x and 2.4.x for a bit yet as well as changing the .p12 export options in there. It may be a while before we get all of that done.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 4
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Jan 30, 2023, 4:03 PM

              I created https://redmine.pfsense.org/issues/13917 to track the integration of OpenVPN 2.6.0 into the export package.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 3
              • J
                jimp Rebel Alliance Developer Netgate
                last edited by Jan 30, 2023, 4:12 PM

                As a quick test I confirmed that an older export does fail with OpenVPN 2.6.0 but I exported a .p12 from a snapshot using the cert manager set to 'high', without a password, and dropped that into the OpenVPN config folder with the right name and that worked.

                So that's another option, but it's a bit cumbersome.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • B
                  Blaumeise
                  last edited by Nov 23, 2023, 10:40 AM

                  I got the same problem in Windows 10 with version 2.6.8 …:

                  2023-11-22 14:39:39 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
                  2023-11-22 14:39:39 OpenSSL: error:11800071:PKCS12 routines::mac verify failure:
                  2023-11-22 14:39:39 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption

                  My fast workaround was to use a previous openvpn version, namely version OpenVPN-2.5.7-I602-amd64.msi which worked for me.
                  I know the less security, but it is an internal system..
                  For download: Here is a link of history versions:
                  https://build.openvpn.net/downloads/releases/

                  I 1 Reply Last reply Nov 23, 2023, 12:41 PM Reply Quote 0
                  • I
                    IT_Luke @Blaumeise
                    last edited by Nov 23, 2023, 12:41 PM

                    @Blaumeise have you tried using the inline config file instead of the seperate certs? That should work without issues.

                    1 Reply Last reply Reply Quote 1
                    • J
                      jimp Rebel Alliance Developer Netgate
                      last edited by Nov 27, 2023, 2:47 PM

                      It shouldn't be a problem either way if you use a current version of pfSense with the current version of the export package. It properly sets the encryption on the PKCS#12 archive to be "high" by default which is compatible with OpenSSL 3.x. If you need to export for macOS/iOS (which don't support "high" level encryption on PKCS#12) you can set it to "low" which uses an older algorithm that is supported by both OpenSSL 3.x and macOS/iOS.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • B bamypamy referenced this topic on Mar 12, 2024, 9:53 AM
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received