I’ve recently upgraded to Fedora 36 Silverblue. My first attempt to connect to my VPN failed with the following error:
Apr 04 20:34:31 fedora NetworkManager: <info> [1649097271.6290] vpn[0x563061ce84d0,5baae628-e0ff-410e-b94a-3be4a07a73d1,"Work"]: starting openvpn
Apr 04 20:34:31 fedora NetworkManager: <info> [1649097271.6294] audit: op="connection-activate" uuid="5baae628-e0ff-410e-b94a-3be4a07a73d1" name="Work" pid=1718 uid=1000 result="success"
Apr 04 20:34:31 fedora nm-openvpn: Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
Apr 04 20:34:31 fedora nm-openvpn: OpenVPN 2.5.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 16 2022
Apr 04 20:34:31 fedora nm-openvpn: library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
Apr 04 20:34:31 fedora nm-openvpn: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 04 20:34:31 fedora nm-openvpn: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
Apr 04 20:34:31 fedora nm-openvpn: OpenSSL: error:0308010C:digital envelope routines::unsupported
Apr 04 20:34:31 fedora nm-openvpn: EVP cipher init #1
Apr 04 20:34:31 fedora nm-openvpn: Exiting due to fatal error
Does anybody have a similar openssl error?
IIUC Fedora 36 moved to OpenSSL 3. This might be a possible reason?
Before upgrading to f36, I removed the openssl package I had overlayed. I thought I did it to make a GNOME extension work, but now I suspect I installed it also to make openvpn work. I can’t remember.
I haven’t tried installing it yet, as I expected the openvpn plugin to work out-of-the-box.
I think that’s because your error is not exactly what the other post notes with Eduroam. Before we figured out the solution there, we also discussed enabling legacy cipher algorithms. Take a look at this:
I have a same problem. Upgraded server from F35 to F36, and it’s a OpenVPN server for many clients, (number of them with older routers and openwrt, so openvpn can’t be upgraded), and this solution didn’t work.
I’m not sure about the line in openssl.cnf openssl_conf = openssl_init
becasue there is already a statement openssl_conf = default_modules
so I’m not sure if it’s possible to have 2 openssl_conf statements within conf file?
I tried many different variations to no avail, than I ended up using podman with F35 and openvpn and older openssl, to get it to work, as I couldn’t played any more.
So I’m still looking for solution by enabling --legacy algorithms in openssl