TunnelBlick 4.0.0 - asking for passphrase with openssl 3.0.13 but no passphrase is required about tunnelblick HOT 15 CLOSED

I had the same issue I had to downgrade to 3.8 version to fix this issue I tried to enter empty passphrase but not working

from tunnelblick.

Thanks, @davidef, for reporting the problem and including the Diagnostic Info.

I don't see how a passphrase could be required; it's probably a bug in Tunnelblick, or in OpenVPN's interface with OpenSSL 3.

from tunnelblick.

@Amr3zzat, thanks for reporting the problem. Did you try Tunnelblick 4 using OpenVPN 2.6.9 with OpenSSL 1.1.1w?

from tunnelblick.

@jkbullard as wrote above with OpenVPN 2.6.9 with OpenSSL 1.1.1w it works. The issue is only with openssl 3.0.13

from tunnelblick.

@Amr3zzat - Please post the Diagnostic Info with the Tunnelblick 4 using OpenVPN 2.6.9 with OpenSSL 3.0.13 (which will fail).

from tunnelblick.

@Amr3zzat - You can follow the instructions at Before You Post About a Problem.

from tunnelblick.

@jkbullard My log for the issue is already attached to the first post. In the passphrase popup we can only cancel it to continue as no passphrase is needed and empty is not accepted.

from tunnelblick.

@davidef - Thanks, but I wasn't asking you, I was asking @Amr3zzat, both for the diagnostic info, and asking about trying it with OpenSSL 1.1.1w. I had no questions for you because your report was very complete!

(That's what the "@xxxxx" is for: directing a comment/question to a particular person.)

from tunnelblick.

Everyone with this problem: If you could post the Diagnostic Info after enabling extra logging, that would be very helpful.

To enable extra logging for this problem, please copy/paste the following into /Applications/Utilities/Terminal:

defaults write net.tunnelblick.tunnelblick DB-AU -bool yes

Then try to connect, disconnect, and get the Diagnostic Info again.

You can then disable the extra logging by copy/pasting:

defaults delete net.tunnelblick.tunnelblick DB-AU

from tunnelblick.

There is a relevant comment on the Tunnelblick Discussion Group by Andrew. Here is a copy for those who do not want to use Google websites:

It's worth noting that this error (OpenSSL unsupported RC2-40-CBC) and the repeated passphrase prompts can occur even when the server and all of the certs/keys use proper ciphers, but the PKCS#12 bundle containing the certs & keys uses legacy ciphers. This behavior also occurs with GUI frontends on other platforms, including the Windows OpenVPN GUI and the GNOME Network Manager plugin. And on all of these, you have no indication what the real problem is until you check the log...

Notably, the default .p12 output of all OpenSSL versions except OpenSSL 3 (OpenSSL <= 1.1, LibreSSL, etc.) uses legacy ciphers RC2-40/3DES/SHA1 which OpenSSL 3 refuses to load without the -legacy option. It is possible to generate an OpenSSL 3-compliant .p12 bundle on OpenSSL 1.1 with the appropriate options; I submitted such a patch to EasyRSA. (It's been merged but not yet included in any release.)

This was the case in my setup and after I created a new .p12 file with the same contents but using AES-256/SHA256 it now works with OpenVPN 2.6 + OpenSSL 3.

A workaround is to extract the certs & keys and use the appropriate separate config file options (ca, cert, key instead of p12). But as you say, it's really up to the server administrator to supply clients with compatible credentials.

from tunnelblick.

@jkbullard Thank you for the feedback we inlined the certificate and private key as it now works. I think it will be helpful to include the p12 legacy ciphers note by Andrew also here: https://tunnelblick.net/cTunnelblick4.html

from tunnelblick.

It was actually Andrew who provided the critical comment!

from tunnelblick.

@jkbullard Thanks for your feedback When I switched to 2.6.9 with openssl 1.1.1w, It connects fine

from tunnelblick.

@Amr3zzat - You're welcome. But it's important that you – and everyone else unable to use the version of OpenVPN/OpenSSL that Tunnelblick chooses by default – update your VPN setup; see Tunnelblick 4 for details.

from tunnelblick.

If you want to use the latest version of OpenSSL but don't have a p12, convert it using this:

openssl pkcs12 -in original.p12 -out keycerts.pem -nodes
openssl pkcs12 -export -in keycerts.pem -out new.p12 -macalg sha256 -keypbe AES-256-CBC -certpbe AES-256-CBC -iter 2048

To verify that your p12 is a problem, this should output "Error outputting keys and certificates":

openssl pkcs12 -noout -info -in .../.p12

and:

openssl pkcs12 -noout -info -in .../.p12 -legacy

should output:

MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

After converting it should output:

MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

from tunnelblick.