OpenVPN not working for Archlinux any more

Virtual Private Networks
1

I don’t use OpenVPN very often on this machine, but coming to it now, connecting to a IPFIRE 171 OpenVPN, it fails.
Connection works from a couple of Linuxmint machines connecting to the same box.
journalctl -xe | grep vpn gives:

Nov 25 10:45:31 onyx-pc nm-openvpn[6692]: OpenVPN 2.5.8 [git:makepkg/0357ceb877687faa+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2022
Nov 25 10:45:31 onyx-pc nm-openvpn[6692]: library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
Nov 25 10:45:31 onyx-pc nm-openvpn[6692]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Nov 25 10:45:31 onyx-pc nm-openvpn[6692]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 25 10:45:32 onyx-pc nm-openvpn[6692]: OpenSSL: error:11800071:PKCS12 routines::mac verify failure
Nov 25 10:45:32 onyx-pc nm-openvpn[6692]: OpenSSL: error:0308010C:digital envelope routines::unsupported
Nov 25 10:45:32 onyx-pc nm-openvpn[6692]: Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
Nov 25 10:45:32 onyx-pc nm-openvpn[6692]: SIGUSR1[soft,private-key-password-failure] received, process restarting
Nov 25 10:45:37 onyx-pc nm-openvpn[6692]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Nov 25 10:45:37 onyx-pc nm-openvpn[6692]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 25 10:45:37 onyx-pc nm-openvpn[6692]: OpenSSL: error:11800071:PKCS12 routines::mac verify failure
Nov 25 10:45:37 onyx-pc nm-openvpn[6692]: OpenSSL: error:0308010C:digital envelope routines::unsupported
Nov 25 10:45:37 onyx-pc nm-openvpn[6692]: Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
Nov 25 10:45:37 onyx-pc nm-openvpn[6692]: SIGUSR1[soft,private-key-password-failure] received, process restarting
Nov 25 10:45:42 onyx-pc nm-openvpn[6692]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Nov 25 10:45:42 onyx-pc nm-openvpn[6692]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 25 10:45:42 onyx-pc nm-openvpn[6692]: OpenSSL: error:11800071:PKCS12 routines::mac verify failure
Nov 25 10:45:42 onyx-pc nm-openvpn[6692]: OpenSSL: error:0308010C:digital envelope routines::unsupported
Nov 25 10:45:42 onyx-pc nm-openvpn[6692]: Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
Nov 25 10:45:42 onyx-pc nm-openvpn[6692]: SIGUSR1[soft,private-key-password-failure] received, process restarting
Nov 25 10:45:47 onyx-pc nm-openvpn[6692]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Nov 25 10:45:47 onyx-pc nm-openvpn[6692]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 25 10:45:47 onyx-pc nm-openvpn[6692]: OpenSSL: error:11800071:PKCS12 routines::mac verify failure
Nov 25 10:45:47 onyx-pc nm-openvpn[6692]: OpenSSL: error:0308010C:digital envelope routines::unsupported
Nov 25 10:45:47 onyx-pc nm-openvpn[6692]: Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
Nov 25 10:45:47 onyx-pc nm-openvpn[6692]: SIGUSR1[soft,private-key-password-failure] received, process restarting
Nov 25 10:45:52 onyx-pc nm-openvpn[6692]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Nov 25 10:45:52 onyx-pc nm-openvpn[6692]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 25 10:45:52 onyx-pc nm-openvpn[6692]: OpenSSL: error:11800071:PKCS12 routines::mac verify failure
Nov 25 10:45:52 onyx-pc nm-openvpn[6692]: OpenSSL: error:0308010C:digital envelope routines::unsupported
Nov 25 10:45:52 onyx-pc nm-openvpn[6692]: Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
Nov 25 10:45:52 onyx-pc nm-openvpn[6692]: SIGUSR1[soft,private-key-password-failure] received, process restarting
Nov 25 10:46:02 onyx-pc nm-openvpn[6692]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Nov 25 10:46:02 onyx-pc nm-openvpn[6692]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 25 10:46:02 onyx-pc nm-openvpn[6692]: OpenSSL: error:11800071:PKCS12 routines::mac verify failure
Nov 25 10:46:02 onyx-pc nm-openvpn[6692]: OpenSSL: error:0308010C:digital envelope routines::unsupported
Nov 25 10:46:02 onyx-pc nm-openvpn[6692]: Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
Nov 25 10:46:02 onyx-pc nm-openvpn[6692]: SIGUSR1[soft,private-key-password-failure] received, process restarting

I tried recreating the client connection at the Ipfire, and on this client, no different.
Any clues?

2

Your client is using openssl-3.0.7 while IPFire is still on openssl-1.1.1r and there is a mismatch between these two openssl versions in terms of the ciphers defined as default.

There has been work on evaluating openssl-3 for IPFire but there have been so many security related reversions or CVE’s with openssl-3 that the decision has been made to hold on any migration to it until the security stability has improved.

See this previous forum thread which covers this topic.
https://community.ipfire.org/t/ovpn-cert-creation-algo/7911

4 Likes