OpenVPN Connect Error using p12 certificate file from openssl-1.1

Sschnettl · Sep 5, 2023

Hi there,
after the last updates of solus my OpenVPN connections won't come up throwing
Decoding PKCS12 failed. Probably wrong password or unsupported/legacy...
After some research the solution was to accept the legacy option for openssl3 in the global config under
/usr/share/defaults/etc/ssl/openssl.cnf

To do so add under

# List of providers to load [provider_sect] default = default_sect legacy =legacy_sect`

and activate under

`[default_sect]
activate = 1

[legacy_sect]
activate = 1`

The solution was adapted from:

https://www.practicalnetworking.net/practical-tls/openssl-3-and-legacy-providers/

Thanks a lot for this.

Best regards

ReillyBrogan · Sep 5, 2023

That's a bad solution. /usr/share/defaults/etc/ssl/openssl.cnf is owned by the openssl package and your changes will be overriden on a future update to that package. Also, you're reducing the security of every application that uses openssl (which is the vast majority of software on your system that uses SSL/TLS).

A much better solution would be to identify why your connection is failing and fix that. OpenSSL 3.x disables several things by default:

SHA1 certificates
RC2/BF-CBC ciphers
TLS 1.1 and older

Depending on which of these is broken you should generate new certificates using SHA256, change the ciphers used, or switch the server to use TLS 1.2/1.3. If you can't do this the correct workaround is to add providers legacy default to your OpenVPN configuration file, which configured OpenVPN to use the legacy provider WITHOUT enabling it for all applications.