OpenSSL error when connecting to VPN via NetworkManager (Fedora 36)

I’ve recently upgraded to Fedora 36 Silverblue. My first attempt to connect to my VPN failed with the following error:

Apr 04 20:34:31 fedora NetworkManager[817]: <info>  [1649097271.6290] vpn[0x563061ce84d0,5baae628-e0ff-410e-b94a-3be4a07a73d1,"Work"]: starting openvpn
Apr 04 20:34:31 fedora NetworkManager[817]: <info>  [1649097271.6294] audit: op="connection-activate" uuid="5baae628-e0ff-410e-b94a-3be4a07a73d1" name="Work" pid=1718 uid=1000 result="success"
Apr 04 20:34:31 fedora nm-openvpn[3371]: Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
Apr 04 20:34:31 fedora nm-openvpn[3371]: OpenVPN 2.5.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 16 2022
Apr 04 20:34:31 fedora nm-openvpn[3371]: library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
Apr 04 20:34:31 fedora nm-openvpn[3371]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 04 20:34:31 fedora nm-openvpn[3371]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
Apr 04 20:34:31 fedora nm-openvpn[3371]: OpenSSL: error:0308010C:digital envelope routines::unsupported
Apr 04 20:34:31 fedora nm-openvpn[3371]: EVP cipher init #1
Apr 04 20:34:31 fedora nm-openvpn[3371]: Exiting due to fatal error

Does anybody have a similar openssl error?

IIUC Fedora 36 moved to OpenSSL 3. This might be a possible reason?

Before upgrading to f36, I removed the openssl package I had overlayed. I thought I did it to make a GNOME extension work, but now I suspect I installed it also to make openvpn work. I can’t remember.
I haven’t tried installing it yet, as I expected the openvpn plugin to work out-of-the-box.

3 Likes

You can re-enable the now disabled-by-default ciphers. Take a look at this topic where we did some digging and found a fix for an OpenSSLv3 related issue

2 Likes

Or, if you operate the VPN yourself, upgrade the other end too :slight_smile:

2 Likes

I tried editing that file:

# grep -A5 crypto_policy /etc/pki/tls/openssl.cnf 
system_default = crypto_policy

[ crypto_policy ]

# https://ask.fedoraproject.org/t/cannot-connect-to-wpa2-enterprise-university-wifi-on-fedora-36/20288/5
Options = UnsafeLegacyRenegotiation
.include = /etc/crypto-policies/back-ends/opensslcnf.config

but it’s failing with the same error message.

What if I install the openssl1.1 package? Let’s try.

Unfortunately I do not operate the VPN and I need a quick workaround.

1 Like

No, openssl1.1 doesn’t help.

I’m using a statik key with the following header:

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

Other ideas?

1 Like

I think that’s because your error is not exactly what the other post notes with Eduroam. Before we figured out the solution there, we also discussed enabling legacy cipher algorithms. Take a look at this:

https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers

There’s also this:

https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2#Upgrade.2Fcompatibility_impact

I don’t know enough to know what to tweak. I went about trying everything until it worked :sweat_smile:

2 Likes

I tried updating the policy but none of them helped:

update-crypto-policies --set DEFAULT:FEDORA32
systemctl reboot

...

update-crypto-policies --set LEGACY
systemctl reboot
2 Likes

And what about enabling legacy algorithms as in the upstream documentation?

2 Likes

This is the solution!

I uncommented these lines in /etc/ssl/openssl.cnf:

[openssl_init]
   providers = provider_sect
   
   [provider_sect]
   default = default_sect
   legacy = legacy_sect
   
   [default_sect]
   activate = 1
   
   [legacy_sect]
   activate = 1

and the connection worked immediately.
Many thanks!

5 Likes