Issue with openfortivpn after upgrading to Bookworm

[mm3100]

Hello everyone,

I have a need to connect to server using openfortivpn, in order to do so I had to limit tls and security level

Code: Select all

seclevel-1 = 1
min-tls = 1.0

But after upgrading to Bookwork it stopped working, I kept getting error messages

Code: Select all

ERROR:  SSL_connect: error:0A00014D:SSL routines::legacy sigalg disallowed or unsupported
You might want to try --insecure-ssl or specify a different --cipher-list
INFO:   Closed connection to gateway.
ERROR:  SSL_connect: error:0A00014D:SSL routines::legacy sigalg disallowed or unsupported
You might want to try --insecure-ssl or specify a different --cipher-list
INFO:   Could not log out.

I have tried to enable legacy in ssl configuration file /etc/ssl/openssl.cnf

Code: Select all

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

But even then when running openfortivpn with insecure-ssl = 1 it still fails to connect with same message.
I have tried to disable default provider but then it is complaining about no ciphers, probably since I have no clue what I am doing.

Code: Select all

ERROR:  SSL_CTX_new: error:0A0000A1:SSL routines::library has no ciphers
INFO:   Closed connection to gateway.
ERROR:  SSL_CTX_new: error:0A0000A1:SSL routines::library has no ciphers
INFO:   Could not log out.

I am aware that here has been change in openssl with version 3 just that I am not finding much for openfortivpn.
https://stackoverflow.com/questions/704 ... or-resolve

Any help would be welcomed.

[Aki]

Hello,

openfortivpn works in my Debian Bookworm installation as expected.

In the Debian Bug Tracking System, no relevant bugs have been reported.

Could it be something to do with your installation or the VPN server you are connecting to ?

[mm3100]

Hello,

Server I am connecting to uses outdated configuration that is not in my control. It used to work on Debian 11, but now I am unsure as to why it is failing to connect.

Is there a way for me check what could be the cause of it? Looking around haven't found much of such issue on openfortivpn it self, mostly was connected to openssl.

Checking debsums doesn't show anything out of ordinary.

I have had this issue since upgrading a month ago, but didn't had time to find out issue.

[vojtech]

Dear mm3100,
I encountered the same issue. Openvpn client at Bookwork, server at older Debian. Did you find the cause of the error and possible solution?

[vojtech]

In my case, the problem is really that the OpenSSL3 does not support BF-CBC cipher (nowadays not considered secure). As you discovered, it is possible to force the openssl to use it by enabling the legacy provider. However, not in openssl config itself, but in openvpn config:

Code: Select all

providers legacy default
compat-mode 2.3.4

or whatever version the openvpn server has.

[Aki]

In my case, the problem is really that the OpenSSL3 does not support BF-CBC cipher (nowadays not considered secure). As you discovered, it is possible to force the openssl to use it by enabling the legacy provider. However, not in openssl config itself, but in openvpn config:

Code: Select all

providers legacy default
compat-mode 2.3.4

or whatever version the openvpn server has.

@vojtech:

Thanks for updating the discussion and proposing a solution at configuration level.

Therefore, it is confirmed that it is caused by servers running ciphers considered insecure by recent releases of openssl and/or openfortivpn clients.