OpenVPN 4096 Private Clientkey doesn´t work

am new here and have a problem.
IPFire 2.27 coreupdate 174.
i want to set up a new user.
everything looks good so far.
The privatkey is now 4096 encrypted.

But i can’t get a connection.

Error in Openvpn client:
VENT: EPKI_ERROR External Certificate Signing Failed
Client exception in transport_recv_excode: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:0406B07A:rsa routines:RSA_padding_add_none:data too small for key size / error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib

TLS Error TLS key negotiaition failed to occur within 60 sec
TLS error TLS handshake failed

If I use an old key (2048 encrypted), everything works.
I have tried a few things, but so far without success.

Does anyone have an idea?


Are you using a recent version of the OpenVPN client? AFAIR you’ll need version 2.6.x (based on OpenSSL3 instead of 1.1) for keys with 4096 bytes length.

OpenVPN: Version 3.3.7 2979

I’d try the most recent community client:

I installed it but nothing works with this.
both old and new key are not working now.
2023-04-26 10:57:54 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
2023-04-26 10:57:54 OpenSSL: error:11800071:PKCS12 routines::mac verify failure
2023-04-26 10:57:54 OpenSSL: error:0308010C:digital envelope routines::unsupported
2023-04-26 10:57:54 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
i open it with keyexplorer , password is correct.
I am now building a test environment,
thx for your help.

Stating the obvious, but it might help anyway.

This error:

and the fact that the old key with a smaller size works suggest that this is a problem related to the key size in OpenVPN configuration.

that was my first thought, but i have no solution yet.

As far as I’m aware
There is no Open SSL 3 in ipfire.
Not sure if that helps.



Openvpn ssl:


Add in xxx.openvpn
providers legacy default

This is how it worked.