VPN Roadwarrior - OpenSSL: error:0308010C

NethServer Version: 7.9.2009
Module: VPN, v1.7.2

I have not been accessing this server for a long time. It has quite a lot updates but nothing for VPN and I didn’t update it as I’m waiting for slow working hours.

I have below lines in my vpn client logs

2023-10-04 11:10:09 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2023-10-04 11:10:09 OpenVPN 2.6.6 [git:v2.6.6/c9540130121bfc21] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Aug 15 2023
2023-10-04 11:10:09 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-10-04 11:10:09 library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.10
2023-10-04 11:10:09 DCO version: v0
2023-10-04 11:10:09 MANAGEMENT: TCP Socket listening on [AF_INET]
2023-10-04 11:10:09 Need hold release from management interface, waiting...
2023-10-04 11:10:09 MANAGEMENT: Client connected from [AF_INET]
2023-10-04 11:10:09 MANAGEMENT: CMD 'state on'
2023-10-04 11:10:09 MANAGEMENT: CMD 'log on all'
2023-10-04 11:10:09 MANAGEMENT: CMD 'echo on all'
2023-10-04 11:10:09 MANAGEMENT: CMD 'bytecount 5'
2023-10-04 11:10:09 MANAGEMENT: CMD 'state'
2023-10-04 11:10:09 MANAGEMENT: CMD 'hold off'
2023-10-04 11:10:09 MANAGEMENT: CMD 'hold release'
2023-10-04 11:10:11 MANAGEMENT: CMD 'username "Auth" "my_connection_name"'
2023-10-04 11:10:11 MANAGEMENT: CMD 'password [...]'
2023-10-04 11:10:11 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-10-04 11:10:11 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RSA-SHA256 : 0), Properties (<null>)
2023-10-04 11:10:11 MANAGEMENT: Client disconnected
2023-10-04 11:10:11 Message hash algorithm 'RSA-SHA256' not found
2023-10-04 11:10:11 Exiting due to fatal error

As far as I understand, this is related to the configuration file itself and not about communication with the server. But, I cannot be sure.

When I download a new configuration file from server, it is identical to the existing one and not fixing.

Can someone who has more knowledge than me be kind enough to explain the problem and how to fix it, please?

Thanks & Regards,

Do you have any other OpenVPN Client (not 2.6.6 version) already working with the same config?
Some rows of your log are a little “uncommon”…

Deprecated chyphers

hash algorithm not found…

Would be nice also to share the screenshot of your config for OpenVPN server and the client configuration file (without public ip, username, and obviously server certificate)

I am using exact same VPN client to connect to another NethServer same version for both server and VPN.

These warnings I have reported earlier in another thread. Seems like VPN client changing its defaults for a while now.

Hash algorithm not found is the main error.

Below is my server config

Below is my vpn config

######### NethServer OpenVPN client configuration #########

dev tun
remote xxx.xxx.xxx.xxx
port 1194
proto udp
explicit-exit-notify 1
# certificates removed
auth RSA-SHA256
cipher AES-256-CBC
verb 3


For what i know, everything is consistent between server settings and configuration file.

  • configuration file is the same (excluding credentials but including certificate) between both clients
  • OpenVPN client is the same version between both clients
  • configuration file received is the same on what already present on the client
  • Also, OpenVPN client cannot be tested with any other OpenVPN endpoint (server) for second sample

I’d go for a Windows troubleshooting roundup. Issue could be something “not right” on OpenVPN client or Windows underlying.

Anyway… due to updates still to be done on server… Don’t to anything until update & reboot of the server (and subsequent test)

Here is the only difference from the server that I can connect fine.

Once I change this setting on problematic and download new open vpn settings file, all is good without installing waiting updates.

I just don’t know why it does not work with RSA-SHA256.

Thanks & Regards,

SHA512 completely exclude RSA from the equation.
Also, is a couple of notches up in digest security, which is never bad if the underling platform have more juce to manage it. :wink: