Comments (5)
Your issue is lacking everything we could need to help you figure out what is going on.
First, start with OpenVPN logfiles from 2.5 and 2.6 to see where it differs, and why 2.6 wants to ask for a username+password where 2.5 doesn't. Then, having the openvpn config file (remove keys!) would be useful to be able to reproduce the issue.
from openvpn.
The problem with the password dialog always occurs when using pkcs12 files.
It is caused by OpenSSl 3.0.x. The new OpenSSl version does not accept empty passwords for pkcs12 files.
If a pkcs12 file should be opened there is only the feedback that this password is protected and then
in OpenVPN the function pem_password_callback in ssl_openssl.c line 840 is triggered.
This always opens the OpenVPN password dialog.
Such configurations can be created with firewalls (pfsense, opnsense) as an archive export. Normally no passwords for p12 files are set there.
Testexample for OpenSSL 3.0.x and OpenSSL 1.1.1t
OpenSSL 3.0.x
e:\TEST\openssl\openssl-3\x64\bin>openssl version
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
e:\TEST\openssl\openssl-3\x64\bin>openssl pkcs12 -in TEST.p12
Password required
e:\TEST\openssl\openssl-3\x64\bin>openssl pkcs12 -in TEST.p12 -password pass:
Error outputting keys and certificates
F4430000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:..\crypto\evp\evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
OpenSSL 1.1.1x
c:\Program Files\OpenVPN\bin>openssl version
OpenSSL 1.1.1t 7 Feb 2023
c:\Program Files\OpenVPN\bin>openssl pkcs12 -in e:\TEST\openssl\openssl-3\x64\bin\TEST.p12
Enter Import Password: (Enter pressed)
Bag Attributes
localKeyID: 95 DE 83 37 A7 AF E2 76 CB 91 6D 79 36 A0 67 3B A1 05 AA A5
c:\Program Files\OpenVPN\bin>openssl pkcs12 -in e:\TEST\openssl\openssl-3\x64\bin\TEST.p12 -password pass:
Bag Attributes
localKeyID: 95 DE 83 37 A7 AF E2 76 CB 91 6D 79 36 A0 67 3B A1 05 AA A5
from openvpn.
Empty password with pkcs12 have been always sketchy and I am not surprised that they break now. I would suggest just using key and cert file.
That being said, your problem seem to be that your pkcs12 are still RC2 encrypted:
F4430000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:..\crypto\evp\evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
you will need to switch to a better encryption scheme or load the legacy provider --providers legacy default
for openvpn and -provider legacy -provider default
for OpenSSL 3.0.
from openvpn.
The problem with the password dialog always occurs when using pkcs12 files.
It is caused by OpenSSl 3.0.x. The new OpenSSl version does not accept empty passwords for pkcs12 files.
Your pkcs12 file is encrypted by an algorithm (RC2?) that is deprecated in OpenSSL3.0. You either need to recreate the pkcs12 file -- import using the -legacy option and export back without using -legacy. Or use the change passphrase menu in the GUI -- this is possible only if the pkcs12 file is in a writeable location by the user.
The GUI will still prompt for password in the first run, you can opt to save it at that time and will not prompt again. Or just import the pkcs12 file into Windows certificate store and use cryptoapicert. Arguably more secure and easier once setup.
from openvpn.
c:\Program Files\OpenVPN\bin>openssl pkcs12 -in e:\TEST\openssl\openssl-3\x64\bin\TEST2.p12 -info
Enter Import Password:
MAC: sha1, Iteration 1
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 95 DE 83 37 A7 AF E2 76 CB 91 6D 79 36 A0 67 3B A1 05 AA A5
Yes, it is RC2-CBC
OK, then the archive configurations of the firewalls do not work because they are still encrypted with RC2-CBC which is no longer used in OpenSSL 3.
Since we have no direct influence on the OpenVPN Client Export functions of the firewalls (opnsense), we have to wait until they are updated or switch to mbed TLS (inline configuration files).
from openvpn.
Related Issues (20)
- windows client and proxy SOCKS: DeviceIoControl(OVPN_IOCTL_START_VPN) failed: Invalid descriptor(errno=6) HOT 11
- Deleted user could still login HOT 2
- VPS A serves as the client, and VPS B serves as the server. When I start openvpn on VPS A, I can only connect to VPS A from VPS B, and other hosts cannot connect. I want other hosts to be able to connect through port 22. HOT 2
- Avoid unlimited reconnects with failing client connections HOT 20
- ifconfig_broadcast environment variable is empty since 2.5 HOT 4
- problem with dns assignment HOT 4
- p2p tun configs break with new topology default in non-obvious ways HOT 8
- OpenVPN with mbed TLS: no warning for unsupported LZO compression — successfully connects without warning but not operable HOT 8
- DNS for remote server not refreshed after power hibernation and restoring HOT 3
- --preresolve is not documented HOT 1
- Installation package download problem HOT 2
- key_state_gen_auth_control_files has subtle logic mistake HOT 2
- The OpenVPN process exits unexpectedly when using the DCO kernel module HOT 13
- tapctl.exe creates an adapter, but fails to rename it HOT 5
- Problems when reconnecting OpenVPN HOT 1
- I'm getting a certificate error when I use OpenVPN to access a website with HSTS turned on.
- The openvpn client suddenly disconnects HOT 3
- VPN stop working HOT 4
- Debian / Ubuntu: OpenVPN apt repositories HOT 2
- Unfair treatment for "Stub" Compression push? HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openvpn.