VPN Roadwarrior - OpenSSL: error:0308010C

ertank · October 4, 2023, 8:31am

NethServer Version: 7.9.2009
Module: VPN, v1.7.2

I have not been accessing this server for a long time. It has quite a lot updates but nothing for VPN and I didn’t update it as I’m waiting for slow working hours.

I have below lines in my vpn client logs

2023-10-04 11:10:09 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2023-10-04 11:10:09 OpenVPN 2.6.6 [git:v2.6.6/c9540130121bfc21] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Aug 15 2023
2023-10-04 11:10:09 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-10-04 11:10:09 library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.10
2023-10-04 11:10:09 DCO version: v0
2023-10-04 11:10:09 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2023-10-04 11:10:09 Need hold release from management interface, waiting...
2023-10-04 11:10:09 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:52925
2023-10-04 11:10:09 MANAGEMENT: CMD 'state on'
2023-10-04 11:10:09 MANAGEMENT: CMD 'log on all'
2023-10-04 11:10:09 MANAGEMENT: CMD 'echo on all'
2023-10-04 11:10:09 MANAGEMENT: CMD 'bytecount 5'
2023-10-04 11:10:09 MANAGEMENT: CMD 'state'
2023-10-04 11:10:09 MANAGEMENT: CMD 'hold off'
2023-10-04 11:10:09 MANAGEMENT: CMD 'hold release'
2023-10-04 11:10:11 MANAGEMENT: CMD 'username "Auth" "my_connection_name"'
2023-10-04 11:10:11 MANAGEMENT: CMD 'password [...]'
2023-10-04 11:10:11 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-10-04 11:10:11 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RSA-SHA256 : 0), Properties (<null>)
2023-10-04 11:10:11 MANAGEMENT: Client disconnected
2023-10-04 11:10:11 Message hash algorithm 'RSA-SHA256' not found
2023-10-04 11:10:11 Exiting due to fatal error

As far as I understand, this is related to the configuration file itself and not about communication with the server. But, I cannot be sure.

When I download a new configuration file from server, it is identical to the existing one and not fixing.

Can someone who has more knowledge than me be kind enough to explain the problem and how to fix it, please?

Thanks & Regards,
Ertan

pike · October 4, 2023, 9:03am

Do you have any other OpenVPN Client (not 2.6.6 version) already working with the same config?
Some rows of your log are a little “uncommon”…

ertank:

2023-10-04 11:10:09 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.

Deprecated chyphers

hash algorithm not found…

Would be nice also to share the screenshot of your config for OpenVPN server and the client configuration file (without public ip, username, and obviously server certificate)

ertank · October 4, 2023, 10:11am

I am using exact same VPN client to connect to another NethServer same version for both server and VPN.

These warnings I have reported earlier in another thread. Seems like VPN client changing its defaults for a while now.

Hash algorithm not found is the main error.

Below is my server config

Below is my vpn config

######### NethServer OpenVPN client configuration #########

dev tun
client
remote xxx.xxx.xxx.xxx
port 1194
proto udp
explicit-exit-notify 1
float
auth-user-pass
# certificates removed
auth RSA-SHA256
cipher AES-256-CBC
verb 3
persist-key
persist-tun
nobind
passtos

Thanks.

pike · October 4, 2023, 10:31am

For what i know, everything is consistent between server settings and configuration file.
Assuming:

configuration file is the same (excluding credentials but including certificate) between both clients
OpenVPN client is the same version between both clients
configuration file received is the same on what already present on the client
Also, OpenVPN client cannot be tested with any other OpenVPN endpoint (server) for second sample

I’d go for a Windows troubleshooting roundup. Issue could be something “not right” on OpenVPN client or Windows underlying.

Anyway… due to updates still to be done on server… Don’t to anything until update & reboot of the server (and subsequent test)

ertank · October 4, 2023, 11:11am

Here is the only difference from the server that I can connect fine.

Once I change this setting on problematic and download new open vpn settings file, all is good without installing waiting updates.

I just don’t know why it does not work with RSA-SHA256.

Thanks & Regards,
Ertan

pike · October 4, 2023, 11:39am

SHA512 completely exclude RSA from the equation.
Also, is a couple of notches up in digest security, which is never bad if the underling platform have more juce to manage it.