Access Server: enable backwards compatibility support for BF-CBC (Blowfish) on OpenSSL3

Note: This KB article is related to Linux distributions that use OpenSSL3, such as 
Ubuntu 22 and Red Hat 9.

Unsupported ciphers error

In the past, Access Server used BF-CBC or Blowfish as the default encryption cipher, but it was deprecated and replaced with AES-256 as the new default since Access Server 2.5.0.

OpenSSL 3.0.0+, which now comes standard with newer operating systems, requires further steps to enable support for BF-CBC. This document provides guidance on the recommended path to stop using BF-CBC (Blowfish) or — if that is not possible — the necessary steps to reenable it.

If you configure Access Server to use BF-CBC, but the operating system uses OpenSSL3, you may see an error message like this in the logs and in sacli start output:

'Options error: --data-ciphers list contains unsupported ciphers or is too long.'

That's because the operating system requires a special flag to reenable support for legacy ciphers.

Recommended solution — disable BF-CBC (Blowfish): 

We recommend configuring Access Server to use AES-256 as the new default. This resolves the "unsupported ciphers" error message but removes support for BF-CBC, impacting outdated clients such as OpenVPN 2.3 or older. Clients such as version 2.4 and newer automatically try to negotiate for better ciphers such as AES-256.

To configure Access Server to use AES-256 as the new default, use these commands as root user:

cd /usr/local/openvpn_as/scripts/
./sacli --key "vpn.server.cipher" --value "AES-256-CBC" ConfigPut
./sacli --key "vpn.client.cipher" --value "AES-256-CBC" ConfigPut
./sacli start

If the error message persists, you may have BF-CBC or another unsupported cipher in your data-ciphers configuration. You can use these commands to clear it so it resets to default settings:

cd /usr/local/openvpn_as/scripts/
./sacli --key "vpn.server.data_ciphers" ConfigDel
./sacli --key "vpn.server.enable_cipher_fallback" ConfigDel
./sacli start

Your Access Server should now work with AES-256 as the default cipher and no longer use the deprecated BF-CBC (Blowfish) cipher.

You should check if your clients can connect. If you have older clients, you may resolve issues by providing them with new connection profiles or updating the client program to a recent version. If that is not possible, then read on to learn how to configure Access Server to allow BF-CBC (Blowfish) for older clients.

Alternate solution — reenable BF-CBC (Blowfish):

If you must reenable the deprecated BF-CBC (Blowfish) cipher, you have two options:

1. Deploy Access Server on an operating system with OpenSSL3 and apply the necessary configuration changes to reenable BF-CBC (Blowfish).
2. Deploy Access Server on an operating system with OpenSSL1 (not recommended).

Follow the instructions below to reenable BF-CBC (Blowfish) support on OpenSSL3 (option one).

Note: If your Access Server doesn't start because it can't use BF-CBC (Blowfish), run the commands from the Recommended Solution section above to get Access Server to start properly. You can then follow the steps below to sign into the Admin Web UI and make the necessary configuration changes to reenable support for BF-CBC (Blowfish).

Add server config directive

The first step to reenable BF-CBC (Blowfish) support is to add a Server Config Directive:

1. Sign into the Admin Web UI.
2. Click Configuration > Advanced VPN.
3. Under Additional OpenVPN Config Directive (Advanced), add "providers default legacy" to Server Config Directives:

Execute commands for cipher fallback support

After adding the server config directive, you can execute the necessary commands to set BF-CBC as the cipher to support older clients:

1. Connect to your console with root privileges.
2. Run these commands:

cd /usr/local/openvpn_as/scripts/
./sacli --key "vpn.server.cipher" --value "BF-CBC" ConfigPut
./sacli --key "vpn.client.cipher" --value "BF-CBC" ConfigPut
./sacli --key "vpn.server.data_ciphers" ConfigDel
./sacli --key "vpn.server.enable_cipher_fallback" --value "true" ConfigPut
./sacli start

Here is an example of a successful client connection using BF-CBC:

root@Ubuntu-Server:~# openvpn --config bf.ovpn --data-ciphers BF-CBC
2023-07-27 16:12:26 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (BF-CBC). OpenVPN ignores --cipher for cipher negotiations.
2023-07-27 16:12:26 OpenVPN 2.6.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD]
2023-07-27 16:12:26 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Enter Auth Username: openvpn
Enter Auth Password: *******
2023-07-27 16:12:29 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-07-27 16:12:29 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-07-27 16:12:29 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-07-27 16:12:29 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-07-27 16:12:29 TCP/UDP: Preserving recently used remote address: [AF_INET]64.227.97.9:1194
2023-07-27 16:12:31 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
2023-07-27 16:12:31 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,redirect-private def1,redirect-private bypass-dhcp,redirect-private autolocal,route-gateway 172.27.232.1,route 67.207.67.2,route 67.207.67.3,route 10.48.0.0 255.255.240.0,route 10.124.0.0 255.255.240.0,route 172.27.224.0 255.255.240.0,dns server 10 address 67.207.67.3,dns server 11 address 67.207.67.2,dns server 12 address 67.207.67.3,dns server 13 address 67.207.67.2,dns server 14 address 67.207.67.3,dns server 15 address 67.207.67.2,register-dns,block-ipv6,ifconfig 172.27.232.2 255.255.248.0,peer-id 0,auth-tokenSESS_ID,cipher BF-CBC,protocol-flags cc-exit tls-ekm,tun-mtu 1500'
2023-07-27 16:12:31 Data Channel: using negotiated cipher 'BF-CBC'
2023-07-27 16:12:36 Initialization Sequence Completed

And as viewed from the Access Server's /var/log/openvpnas.log file:

2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 VERIFY OK: depth=1, CN=OpenVPN CA'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 VERIFY KU OK'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 Validating certificate extended key usage'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 VERIFY EKU OK'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 VERIFY OK: depth=0, CN=openvpn'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 peer info: IV_VER=2.6.0'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 peer info: IV_PLAT=linux'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 peer info: IV_TCPNL=1'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 peer info: IV_MTU=1600'
2023-07-27T16:12:30+0000 [stdout#info] [OVPN 1] OUT: '2023-07-27 16:12:30 167.99.7.70:33334 peer info: IV_CIPHERS=BF-CBC'
2023-07-27T16:12:32+0000 [stdout#info] [OVPN 1] OUT: "2023-07-27 16:12:32 openvpn/167.99.7.70:33334 Data Channel: cipher 'BF-CBC', auth 'SHA1', peer-id: 0"

And from the Access Server sacli vpnstatus output:

 "openvpn_1": {
"client_list": [
[
"openvpn",
"167.99.7.70:33334",
"172.27.232.2",
"",
"6511",
"7692",
"2023-07-27 16:12:30",
"1690474350",
"openvpn",
"0",
"0",
"BF-CBC"

If you have additional questions, please submit a ticket.