Giter VIP home page Giter VIP logo

Comments (5)

cron2 avatar cron2 commented on May 27, 2024

Your issue is lacking everything we could need to help you figure out what is going on.

First, start with OpenVPN logfiles from 2.5 and 2.6 to see where it differs, and why 2.6 wants to ask for a username+password where 2.5 doesn't. Then, having the openvpn config file (remove keys!) would be useful to be able to reproduce the issue.

from openvpn.

kretze avatar kretze commented on May 27, 2024

The problem with the password dialog always occurs when using pkcs12 files.
It is caused by OpenSSl 3.0.x. The new OpenSSl version does not accept empty passwords for pkcs12 files.

If a pkcs12 file should be opened there is only the feedback that this password is protected and then
in OpenVPN the function pem_password_callback in ssl_openssl.c line 840 is triggered.
This always opens the OpenVPN password dialog.

Such configurations can be created with firewalls (pfsense, opnsense) as an archive export. Normally no passwords for p12 files are set there.

Testexample for OpenSSL 3.0.x and OpenSSL 1.1.1t

OpenSSL 3.0.x
e:\TEST\openssl\openssl-3\x64\bin>openssl version
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)

e:\TEST\openssl\openssl-3\x64\bin>openssl pkcs12 -in TEST.p12
Password required

e:\TEST\openssl\openssl-3\x64\bin>openssl pkcs12 -in TEST.p12 -password pass:
Error outputting keys and certificates
F4430000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:..\crypto\evp\evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

OpenSSL 1.1.1x
c:\Program Files\OpenVPN\bin>openssl version
OpenSSL 1.1.1t 7 Feb 2023

c:\Program Files\OpenVPN\bin>openssl pkcs12 -in e:\TEST\openssl\openssl-3\x64\bin\TEST.p12
Enter Import Password: (Enter pressed)
Bag Attributes
localKeyID: 95 DE 83 37 A7 AF E2 76 CB 91 6D 79 36 A0 67 3B A1 05 AA A5

c:\Program Files\OpenVPN\bin>openssl pkcs12 -in e:\TEST\openssl\openssl-3\x64\bin\TEST.p12 -password pass:
Bag Attributes
localKeyID: 95 DE 83 37 A7 AF E2 76 CB 91 6D 79 36 A0 67 3B A1 05 AA A5

from openvpn.

schwabe avatar schwabe commented on May 27, 2024

Empty password with pkcs12 have been always sketchy and I am not surprised that they break now. I would suggest just using key and cert file.

That being said, your problem seem to be that your pkcs12 are still RC2 encrypted:

F4430000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:..\crypto\evp\evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
you will need to switch to a better encryption scheme or load the legacy provider --providers legacy default for openvpn and -provider legacy -provider default for OpenSSL 3.0.

from openvpn.

selvanair avatar selvanair commented on May 27, 2024

The problem with the password dialog always occurs when using pkcs12 files.
It is caused by OpenSSl 3.0.x. The new OpenSSl version does not accept empty passwords for pkcs12 files.

Your pkcs12 file is encrypted by an algorithm (RC2?) that is deprecated in OpenSSL3.0. You either need to recreate the pkcs12 file -- import using the -legacy option and export back without using -legacy. Or use the change passphrase menu in the GUI -- this is possible only if the pkcs12 file is in a writeable location by the user.

The GUI will still prompt for password in the first run, you can opt to save it at that time and will not prompt again. Or just import the pkcs12 file into Windows certificate store and use cryptoapicert. Arguably more secure and easier once setup.

from openvpn.

kretze avatar kretze commented on May 27, 2024

c:\Program Files\OpenVPN\bin>openssl pkcs12 -in e:\TEST\openssl\openssl-3\x64\bin\TEST2.p12 -info
Enter Import Password:
MAC: sha1, Iteration 1
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 95 DE 83 37 A7 AF E2 76 CB 91 6D 79 36 A0 67 3B A1 05 AA A5

Yes, it is RC2-CBC

OK, then the archive configurations of the firewalls do not work because they are still encrypted with RC2-CBC which is no longer used in OpenSSL 3.
Since we have no direct influence on the OpenVPN Client Export functions of the firewalls (opnsense), we have to wait until they are updated or switch to mbed TLS (inline configuration files).

from openvpn.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.