Problem connecting Tunnelblick 4.0.0 (latest stable) to pfSense 2.7.1 due to OpenSSL Version (solved)
-
Hey, I just updated my Tunnelblick to the latest stable Version 4.0.0, and since I cannot connect to our OpenVPN running on a pfSense 2.7.1 anymore.
When I click on connect it asks for a passphrase. In the logs, it shows this2024-03-12 10:20:01.814019 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () 2024-03-12 10:20:01.814045 OpenSSL: error:11800071:PKCS12 routines::mac verify failure:I saw that Tunnelblick 4 uses OpenSSL 3 as a default.
After changing it back to OpenSSL 1.1.1w in the Tunnelbkick settings for the VPN it started to work again.Here it says that OpenSSL 3 is introduced with 2.7.1, which I have installed.
https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#rn-2-7-1-opensslThis is the OpenSSL version installed on the pfSense.
OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)Why does my VPN keep failing then?
I couldn't find any setting to choose which OpenSSL Version the VPN should use.Any idea how to solve this without having to tell every User to change its settings?
I would also like to use OpenSSL 3 instead of 1.1.1 since it is EOL. -
I found the problem.
It is the pkcs12 cipher that was used to encrypt the file.
It was encrypted with a cipher that is now considered weak.
After exporting an inline config it works with OpenSSL 3 set in Tunnelblick.This pointed me in the right direction.
https://forum.netgate.com/topic/177436/new-openvpn-client-2-6-0-deprecates-openssl-1-1-1-openssl-error-error-0308010c-digital-envelope-routines-unsupported/14 -
I just also found it on the Tunnelblick website.
https://tunnelblick.net/cTunnelblick4.html