Comments (15)
I had the same issue I had to downgrade to 3.8 version to fix this issue I tried to enter empty passphrase but not working
from tunnelblick.
Thanks, @davidef, for reporting the problem and including the Diagnostic Info.
I don't see how a passphrase could be required; it's probably a bug in Tunnelblick, or in OpenVPN's interface with OpenSSL 3.
from tunnelblick.
@Amr3zzat, thanks for reporting the problem. Did you try Tunnelblick 4 using OpenVPN 2.6.9 with OpenSSL 1.1.1w?
from tunnelblick.
@jkbullard as wrote above with OpenVPN 2.6.9 with OpenSSL 1.1.1w it works. The issue is only with openssl 3.0.13
from tunnelblick.
@Amr3zzat - Please post the Diagnostic Info with the Tunnelblick 4 using OpenVPN 2.6.9 with OpenSSL 3.0.13 (which will fail).
from tunnelblick.
@Amr3zzat - You can follow the instructions at Before You Post About a Problem.
from tunnelblick.
@jkbullard My log for the issue is already attached to the first post. In the passphrase popup we can only cancel it to continue as no passphrase is needed and empty is not accepted.
from tunnelblick.
@davidef - Thanks, but I wasn't asking you, I was asking @Amr3zzat, both for the diagnostic info, and asking about trying it with OpenSSL 1.1.1w. I had no questions for you because your report was very complete!
(That's what the "@xxxxx" is for: directing a comment/question to a particular person.)
from tunnelblick.
Everyone with this problem: If you could post the Diagnostic Info after enabling extra logging, that would be very helpful.
To enable extra logging for this problem, please copy/paste the following into /Applications/Utilities/Terminal:
defaults write net.tunnelblick.tunnelblick DB-AU -bool yes
Then try to connect, disconnect, and get the Diagnostic Info again.
You can then disable the extra logging by copy/pasting:
defaults delete net.tunnelblick.tunnelblick DB-AU
from tunnelblick.
There is a relevant comment on the Tunnelblick Discussion Group by Andrew. Here is a copy for those who do not want to use Google websites:
It's worth noting that this error (OpenSSL unsupported RC2-40-CBC) and the repeated passphrase prompts can occur even when the server and all of the certs/keys use proper ciphers, but the PKCS#12 bundle containing the certs & keys uses legacy ciphers. This behavior also occurs with GUI frontends on other platforms, including the Windows OpenVPN GUI and the GNOME Network Manager plugin. And on all of these, you have no indication what the real problem is until you check the log...
Notably, the default .p12 output of all OpenSSL versions except OpenSSL 3 (OpenSSL <= 1.1, LibreSSL, etc.) uses legacy ciphers RC2-40/3DES/SHA1 which OpenSSL 3 refuses to load without the -legacy option. It is possible to generate an OpenSSL 3-compliant .p12 bundle on OpenSSL 1.1 with the appropriate options; I submitted such a patch to EasyRSA. (It's been merged but not yet included in any release.)
This was the case in my setup and after I created a new .p12 file with the same contents but using AES-256/SHA256 it now works with OpenVPN 2.6 + OpenSSL 3.
A workaround is to extract the certs & keys and use the appropriate separate config file options (ca, cert, key instead of p12). But as you say, it's really up to the server administrator to supply clients with compatible credentials.
from tunnelblick.
@jkbullard Thank you for the feedback we inlined the certificate and private key as it now works. I think it will be helpful to include the p12 legacy ciphers note by Andrew also here: https://tunnelblick.net/cTunnelblick4.html
from tunnelblick.
It was actually Andrew who provided the critical comment!
from tunnelblick.
@jkbullard Thanks for your feedback When I switched to 2.6.9 with openssl 1.1.1w, It connects fine
from tunnelblick.
@Amr3zzat - You're welcome. But it's important that you – and everyone else unable to use the version of OpenVPN/OpenSSL that Tunnelblick chooses by default – update your VPN setup; see Tunnelblick 4 for details.
from tunnelblick.
If you want to use the latest version of OpenSSL but don't have a p12, convert it using this:
openssl pkcs12 -in original.p12 -out keycerts.pem -nodes
openssl pkcs12 -export -in keycerts.pem -out new.p12 -macalg sha256 -keypbe AES-256-CBC -certpbe AES-256-CBC -iter 2048
To verify that your p12 is a problem, this should output "Error outputting keys and certificates":
openssl pkcs12 -noout -info -in .../.p12
and:
openssl pkcs12 -noout -info -in .../.p12 -legacy
should output:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
After converting it should output:
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
from tunnelblick.
Related Issues (20)
- An error occurred when using the configuration file of aws clientvpn HOT 2
- Dynamic challenge script AUTH_FAILED HOT 12
- Username with space improperly handled HOT 7
- Tunnelblick 4.0.0 not able to connect HOT 10
- Losing local DNS configuration on tunnel disconnect HOT 10
- "This copy of Tunnelblick has been tampered with" when restarting Tunnelblick after using VPN profile for first time HOT 7
- Asking for pass phrase when there is none defined for the connection HOT 1
- Apple just released TN3158, is Tunnelblick affected by anything they wrote? HOT 2
- Ping in IPv6 works, no web requests
- Tunnelblick does not start automatically HOT 6
- The icon width for top menu bar HOT 3
- When I connected to VPN I lose internet access HOT 1
- Upgrade to Macos or Tunnelblick has broken my VPN connection HOT 2
- IPv4 routes not created in dual-stack setup HOT 1
- Tunnelblick don't use the content of auth_failed_reason_file
- Tunnelblick not working on older macs with Sonoma 14.4.1 (OpenCore Patcher) HOT 1
- [Feature Req'] Whitelist/Blacklist which apps go via the vpn. HOT 2
- AES-NI
- Please have a security response in place for vulnerabilites
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tunnelblick.