Core Update 184 Unable to start OpenVPN Server: Message hash algorithm 'whirlpool' not found

Virtual Private Networks
1

I selected the Hash Algorithm to “Whirlpool (512 bit)” (because it appeared higher in the menu list than “SHA2 (512 bit)” which I had previously selected).

When I press “Start OpenVPN Server”, it remains in the “STOPPED” state.
Investigating the log file /var/log/messages reveals the following:

Apr  2 21:56:31 firewall openvpnserver[14441]: DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
Apr  2 21:56:31 firewall openvpnserver[14441]: WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
Apr  2 21:56:31 firewall openvpnserver[14441]: OpenVPN 2.5.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 19 2023
Apr  2 21:56:31 firewall openvpnserver[14441]: library versions: OpenSSL 3.2.1 30 Jan 2024, LZO 2.10
Apr  2 21:56:31 firewall openvpnserver[14442]: MANAGEMENT: unix domain socket listening on /var/run/openvpn.sock
Apr  2 21:56:31 firewall openvpnserver[14442]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr  2 21:56:31 firewall openvpnserver[14442]: Diffie-Hellman initialized with 4096 bit key
Apr  2 21:56:31 firewall openvpnserver[14442]: CRL: loaded 1 CRLs from file /var/ipfire/ovpn/crls/cacrl.pem
Apr  2 21:56:31 firewall openvpnserver[14442]: OpenSSL: error:0308010C:digital envelope routines::unsupported
Apr  2 21:56:31 firewall openvpnserver[14442]: Message hash algorithm 'whirlpool' not found
Apr  2 21:56:31 firewall openvpnserver[14442]: Exiting due to fatal error

So it seems that ‘whirlpool’ is not supported by OpenSSL 3.2.1?
There was a ticket to remove whirlpool from OpenSSL, but it was closed without removal:
https://github.com/openssl/openssl/issues/5118
However, whirlpool was moved to the legacy provider:
https://github.com/openssl/openssl/issues/5118#issuecomment-703280657
I’m not sure if that affects using whirlpool in IPFire.

As I am unable to get “Whirlpool (512 bit)” to work, I am going to put the hash algorithm back to “SHA2 (512 bit)”.

With that setting, pressing “Start OpenVPN Server” quickly changes state to “RUNNING”, and the whirlpool error no longer appears in the log.

If “Whirlpool (512 bit)” does not work, it should be removed from the GUI.

2

Yes, that would. You would need to manually add into your client .ovpn file the line

providers legacy default

That would allow a whole bunch of legacy ciphers to be accessible from Openssl-3.2.1

Will discuss what we should do at the next devs conf call.
I certainly, and I suspect the other devs were not aware of that change of status of Whirlpool in OpenSSL-3.2.1

Thanks for flagging it up.