OpenVPN-Tunnels not working due to chiper 'AES-256-CBC' not in list

Hello,

after a FW-upgrade from 7.4.5 to 7.6.13 at a RUT240, I encountered that OpenVPN-Tunnels are not working.

log-message:
Thu Jul 18 08:05:03 2024 daemon.warn openvpn(enbw)[7272]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless “allow-compression yes” is also set.
Thu Jul 18 08:05:03 2024 daemon.warn openvpn(enbw)[7272]: Multiple --down scripts defined. The previously configured script is overridden.
Thu Jul 18 08:05:03 2024 daemon.warn openvpn(enbw)[7272]: Multiple --up scripts defined. The previously configured script is overridden.
Thu Jul 18 08:05:03 2024 daemon.warn openvpn(enbw)[7272]: DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-256-CBC’ to --data-ciphers or change --cipher ‘AES-256-CBC’ to --data-ciphers-fallback ‘AES-256-CBC’ to silence this warning.
Thu Jul 18 08:05:03 2024 daemon.notice openvpn(enbw)[7272]: OpenVPN 2.5.3 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Jul 18 08:05:03 2024 daemon.notice openvpn(enbw)[7272]: library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10
Thu Jul 18 08:05:03 2024 daemon.warn openvpn(enbw)[7272]: WARNING: No server certificate verification method has been enabled. See How To Guide: Set Up & Configure OpenVPN Client/server VPN | OpenVPN for more info.
Thu Jul 18 08:05:03 2024 daemon.warn openvpn(enbw)[7272]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jul 18 08:05:04 2024 daemon.err openvpn(enbw)[7272]: OpenSSL: error:0A00018E:lib(20)::reason(398)
Thu Jul 18 08:05:04 2024 daemon.err openvpn(enbw)[7272]: Cannot load inline certificate file
Thu Jul 18 08:05:04 2024 daemon.notice openvpn(enbw)[7272]: Exiting due to fatal error

So the chiper ‘AES-256-CBC’ is not - longer - supported by default in 7.16.3?
Where to add this chiper again?

Thanks
Solarix

Hello,

AES-256-CBC encryption should still be used for version 07.06.13 and later. It was not removed, and it remains the default encryption algorithm.

Best regards,

Hi Marijus,

yes, I can see that in case I want to add a new Client. Therefore the chiper is available.

But where is
“DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-256-CBC’ to --data-ciphers or change --cipher ‘AES-256-CBC’ to --data-ciphers-fallback ‘AES-256-CBC’ to silence this warning.”

coming from?

Where can I find the OpenVPN configuration for the client-settings?
It is not under /etc/openvpn. Only 2 templates there…

Thanks
Solarix

After further investigation
“DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in…”
is possibly not the reason for “no connection”.

It is problably
“Thu Jul 18 08:05:04 2024 daemon.err openvpn(enbw)[7272]: OpenSSL: error:0A00018E:lib(20)::reason(398)
Thu Jul 18 08:05:04 2024 daemon.err openvpn(enbw)[7272]: Cannot load inline certificate file
Thu Jul 18 08:05:04 2024 daemon.notice openvpn(enbw)[7272]: Exiting due to fatal error”

This is happen to 3 client-configrations at this device.
Therefore, I assume, this is a common failure with OpenSSL at version 1.6.13…?

Thank

Solarix

Hi,

We recently removed some less secure encryption algorithms 07.05 firmware updates and further updates. To avoid issues with OpenVPN on the client side, please update your OpenVPN server to use newer encryption methods.

Best regards,

This topic was automatically closed after 15 days. New replies are no longer allowed.