Note: This KB article is related to Linux distributions that use OpenSSL3, such as Ubuntu 22 and Red Hat 9.
Unsupported ciphers error
In the past, Access Server used BF-CBC (Blowfish) as the default encryption cipher, but it was deprecated and replaced with AES-256 as the new default since Access Server 2.5.0. Older configurations, for compatibility reasons, may still want to support the older cipher.
OpenSSL 3.0.0+, which is now standard with newer operating systems, requires further steps to enable support for BF-CBC. This document provides guidance on the recommended path to stop using BF-CBC or, if that is not possible, the necessary steps to reenable it.
If you configure Access Server to use BF-CBC, but the operating system uses OpenSSL3, you may see an error message like this in the logs and in the sacli start output:
'Options error: --data-ciphers list contains unsupported ciphers or is too long.'
That's because the operating system's OpenSSL3 library requires a special flag to reenable support for legacy ciphers.
Recommended solution — disable BF-CBC (Blowfish):
We recommend configuring Access Server to use AES-256 as the new default. This resolves the "unsupported ciphers" error message and removes support for BF-CBC. The Blowfish cipher was deprecated because it was found to have certain weaknesses, and while OpenVPN has mitigations in place for those weaknesses, it is still recommended to stop using Blowfish. This may impact outdated clients such as OpenVPN 2.3 or older, but clients such as version 2.4 and newer automatically try to negotiate for better ciphers such as AES-256, so it should be fine.
To configure Access Server to use AES-256 as the new default, use these commands as the root user:
cd /usr/local/openvpn_as/scripts/
./sacli --key "vpn.server.cipher" --value "AES-256-CBC" ConfigPut
./sacli --key "vpn.client.cipher" --value "AES-256-CBC" ConfigPut
./sacli start
If the error message persists, you may have BF-CBC or another unsupported cipher in your data-ciphers configuration. You can use these commands to clear it so it resets to default settings:
cd /usr/local/openvpn_as/scripts/
./sacli --key "vpn.server.data_ciphers" ConfigDel
./sacli --key "vpn.server.enable_cipher_fallback" ConfigDel
./sacli start
Your Access Server should now work with AES-256 as the default cipher and no longer use the deprecated BF-CBC cipher.
You should check if your clients can connect. If you have older clients, you may resolve issues by providing them with new connection profiles or updating the client program to a recent version. If that is not possible, then read on to learn how to configure Access Server to allow BF-CBC for older clients.
Alternate solution — reenable BF-CBC (Blowfish):
If you must reenable the deprecated BF-CBC cipher, you have two options:
- Deploy Access Server on an operating system with OpenSSL3 and apply the necessary configuration changes to reenable BF-CBC.
- Deploy Access Server on an operating system with OpenSSL1 (not recommended).
Follow the instructions below to reenable BF-CBC support on OpenSSL3 (option one).
Note: If your Access Server doesn't start because it can't use BF-CBC, run the commands from the Recommended Solution section above to get Access Server to start properly. You can then follow the steps below to sign into the Admin Web UI and make the necessary configuration changes to reenable support for BF-CBC (Blowfish).
Add server config directive
The first step to reenable BF-CBC support is to add a Server Config Directive:
- Sign in to the Admin Web UI.
- Click Configuration > Advanced VPN.
- Under Additional OpenVPN Config Directive (Advanced), add "providers default legacy" to Server Config Directives:
Execute commands for cipher fallback support
After adding the server config directive, you can execute the necessary commands to set BF-CBC as the cipher to support older clients:
- Connect to your console with root privileges.
- Run these commands:
cd /usr/local/openvpn_as/scripts/
./sacli --key "vpn.server.cipher" --value "BF-CBC" ConfigPut
./sacli --key "vpn.client.cipher" --value "BF-CBC" ConfigPut
./sacli --key "vpn.server.data_ciphers" ConfigDel
./sacli --key "vpn.server.enable_cipher_fallback" --value "true" ConfigPut
./sacli start
Here is an example of a successful client connection using BF-CBC:
root@Ubuntu-Server:~# openvpn --config bf.ovpn --data-ciphers BF-CBC
2023-07-27 16:12:26 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (BF-CBC). OpenVPN ignores --cipher for cipher negotiations.
2023-07-27 16:12:26 OpenVPN 2.6.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD]
2023-07-27 16:12:26 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Enter Auth Username: openvpn
Enter Auth Password: *******
2023-07-27 16:12:29 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-07-27 16:12:29 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-07-27 16:12:29 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-07-27 16:12:29 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-07-27 16:12:29 TCP/UDP: Preserving recently used remote address: [AF_INET]64.227.97.9:1194
2023-07-27 16:12:31 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
2023-07-27 16:12:31 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,redirect-private def1,redirect-private bypass-dhcp,redirect-private autolocal,route-gateway 172.27.232.1,route 67.207.67.2,route 67.207.67.3,route 10.48.0.0 255.255.240.0,route 10.124.0.0 255.255.240.0,route 172.27.224.0 255.255.240.0,dns server 10 address 67.207.67.3,dns server 11 address 67.207.67.2,dns server 12 address 67.207.67.3,dns server 13 address 67.207.67.2,dns server 14 address 67.207.67.3,dns server 15 address 67.207.67.2,register-dns,block-ipv6,ifconfig 172.27.232.2 255.255.248.0,peer-id 0,auth-tokenSESS_ID,cipher BF-CBC,protocol-flags cc-exit tls-ekm,tun-mtu 1500'
2023-07-27 16:12:31 Data Channel: using negotiated cipher 'BF-CBC'
2023-07-27 16:12:36 Initialization Sequence Completed
And as viewed from the Access Server's /var/log/openvpnas.log file:
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 VERIFY OK: depth=1, CN=OpenVPN CA'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 VERIFY KU OK'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 Validating certificate extended key usage'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 VERIFY EKU OK'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 VERIFY OK: depth=0, CN=openvpn'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 peer info: IV_VER=2.6.0'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 peer info: IV_PLAT=linux'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 peer info: IV_TCPNL=1'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 peer info: IV_MTU=1600'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 peer info: IV_CIPHERS=BF-CBC'
2023-07-27T16:12:32+0000 [stdout#info] [OVPN 1] OUT: "2023-07-27 16:12:32 openvpn/167.99.7.70:33334 Data Channel: cipher 'BF-CBC', auth 'SHA1', peer-id: 0"
And from the Access Server sacli vpnstatus output:
"openvpn_1": {
"client_list": [
[
"openvpn",
"167.99.7.70:33334",
"172.27.232.2",
"",
"6511",
"7692",
"2023-07-27 16:12:30",
"1690474350",
"openvpn",
"0",
"0",
"BF-CBC"
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.