New OpenVPN Client 2.6.0 deprecates OpenSSL 1.1.1 - OpenSSL error error:0308010C:digital envelope routines::unsupported

IT_Luke · Jan 30, 2023, 11:38 AM

As per topic, if you download the newly released OpenSSL 2.6.0, the OpenVPN client will no longer be able to decypher the generated certificates due to dropping of the old OpenSSL 1 in favor of the new OpenSSL 3. The last compatible version working with pfSense (2.6.0) is OpenSSL 2.5.8 so until the pfSense OpenVPN server side gets updated you will need to stick to OpenSSL client v2.5.8.

jimp · Jan 30, 2023, 2:25 PM

How did you generate the certificates? They should work fine so long as you didn't use old/insecure properties like MD5 or SHA1 which hasn't been recommended for quite some time.

IT_Luke · Jan 30, 2023, 3:09 PM

@jimp the default values (SHA256, RSA key type length 2048)

jimp · Jan 30, 2023, 3:13 PM

That would still work, unless some part of the chain (CA maybe?) used SHA1 or MD5. They didn't deprecate SHA256.

IT_Luke · Jan 30, 2023, 3:31 PM

@jimp Exporting the cert in .p12 format and running

openssl pkcs12 -in mycert.p12 -info -nokeys -nocerts

yields

Enter Import Password:
MAC: sha1, Iteration 1
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Error outputting keys and certificates
406728619A7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

which coincides with the unrecognized (dropped) crypto version.

P.S. I just created & exported a new certificate to verify.
P.P.S the CA is also of course SHA 256

jimp · Jan 30, 2023, 3:33 PM

That's a much different problem than OpenVPN not connecting or using the generated certificates.

The PKCS#12 container problem is known and fixed in the repo for exporting from base:

https://redmine.pfsense.org/issues/13257

We still need to update the export package:

https://redmine.pfsense.org/issues/13255

jimp · Jan 30, 2023, 3:34 PM

The problem is we can't change it unilaterally because some things like macOS won't read PKCS#12 with the higher encryption options while OpenSSL 3 requires them. We "solved" that in base by giving the user a choice, which will have to be replicated in the export package yet.

IT_Luke · Jan 30, 2023, 3:41 PM

@jimp ok - I understand the .p12 export problem (I have encountered it in the past with Windows machines exporting them), but the error persists and is identical when the OpenVPN client attempts to decrypt the cert before connecting (just after you insert your password). So for the time being it is my understanding that for universal compatibility issues we best stick to OpenVPN ve 2.5.8 - correct?

jimp · Jan 30, 2023, 3:52 PM

@it_luke said in New OpenVPN Client 2.6.0 deprecates OpenSSL 1.1.1 - OpenSSL error error:0308010C:digital envelope routines::unsupported:

@jimp ok - I understand the .p12 export problem (I have encountered it in the past with Windows machines exporting them), but the error persists and is identical when the OpenVPN client attempts to decrypt the cert before connecting (just after you insert your password). So for the time being it is my understanding that for universal compatibility issues we best stick to OpenVPN ve 2.5.8 - correct?

It depends on what you need there.

If you are exporting PKCS#12 bundles from the GUI directly (NOT the export package) you can install the System Patches package and then create and apply entries for 9efec2778cd9a6379716fc32891614f1d4551cf4 then a7e50981ec30d5844d59b5fa7c324fb89d415d42 to update the GUI for the new PKCS#12 options. You have to fetch/apply the first patch before the second will apply.

If you are using the export package, then use one of the inline export methods, not one that relies on .p12 files.

We are still working on the best plan for integrating OpenVPN 2.6.0 into the export package, but it looks like we'll need to keep around the installers for 2.5.x and 2.4.x for a bit yet as well as changing the .p12 export options in there. It may be a while before we get all of that done.

jimp · Jan 30, 2023, 4:03 PM

I created https://redmine.pfsense.org/issues/13917 to track the integration of OpenVPN 2.6.0 into the export package.

jimp · Jan 30, 2023, 4:12 PM

As a quick test I confirmed that an older export does fail with OpenVPN 2.6.0 but I exported a .p12 from a snapshot using the cert manager set to 'high', without a password, and dropped that into the OpenVPN config folder with the right name and that worked.

So that's another option, but it's a bit cumbersome.

Blaumeise · Nov 23, 2023, 10:40 AM

I got the same problem in Windows 10 with version 2.6.8 …:

2023-11-22 14:39:39 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
2023-11-22 14:39:39 OpenSSL: error:11800071:PKCS12 routines::mac verify failure:
2023-11-22 14:39:39 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption

My fast workaround was to use a previous openvpn version, namely version OpenVPN-2.5.7-I602-amd64.msi which worked for me.
I know the less security, but it is an internal system..
For download: Here is a link of history versions:
https://build.openvpn.net/downloads/releases/

IT_Luke · Nov 23, 2023, 12:41 PM

@Blaumeise have you tried using the inline config file instead of the seperate certs? That should work without issues.

jimp · Nov 27, 2023, 2:47 PM

It shouldn't be a problem either way if you use a current version of pfSense with the current version of the export package. It properly sets the encryption on the PKCS#12 archive to be "high" by default which is compatible with OpenSSL 3.x. If you need to export for macOS/iOS (which don't support "high" level encryption on PKCS#12) you can set it to "low" which uses an older algorithm that is supported by both OpenSSL 3.x and macOS/iOS.