After updating openssl to 0.9.7g openvpn fails to start: openvpn log: Aug 27 13:51:42 [openvpn] OpenVPN 2.0.1 i686-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Aug 27 2005 Aug 27 13:51:42 [openvpn] Cipher algorithm 'BF-CBC' not found (OpenSSL) Aug 27 13:51:42 [openvpn] Exiting It cannot find BF-CBC music ~ # openvpn --show-ciphers The following ciphers and cipher modes are available for use with OpenVPN. Each cipher shown below may be used as a parameter to the --cipher option. The default key size is shown as well as whether or not it can be changed with the --keysize directive. Using a CBC mode is recommended. DES-CBC 64 bit default key (fixed) IDEA-CBC 128 bit default key (fixed) RC2-CBC 128 bit default key (variable) DES-EDE3-CBC 192 bit default key (fixed) AES-128-CBC 128 bit default key (fixed) AES-192-CBC 192 bit default key (fixed) AES-256-CBC 256 bit default key (fixed) But libssl seems to have BF-CBC music ~ # strings /usr/lib/libssl.so.0.9.7 | grep BF BF-CBC BF-ECB BF-CFB BF-OFB BFIPS_RAND_BYTES I also have tried to recompile openvpn. Same results. openssl-0.9.7e-r1 works fine. The simmiliar problem was discoverd earlier with openssl 0.9.7d-r1 (see URL). Reproducible: Always Steps to Reproduce: 1. USE="~x86" emerge =dev-libs/openssl-0.9.7-r1 2. /etc/init.d/openvpn start 3. Actual Results: Cipher algorithm 'BF-CBC' not found (OpenSSL) Expected Results: openvpn should start Portage 2.0.51.22-r2 (default-linux/x86/2005.0, gcc-3.3.5-20050130, glibc-2.3.5-r1, 2.6.12-gentoo-r9-01 i686) ================================================================= System uname: 2.6.12-gentoo-r9-01 i686 AMD Athlon(tm) XP 2200+ Gentoo Base System version 1.6.13 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] dev-lang/python: 2.3.5 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.5 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.18-r1 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O3 -march=athlon-xp -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3 -march=athlon-xp -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distcc distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo" LANG="ru_RU.koi8r" LC_ALL="ru_RU.koi8r" MAKEOPTS="-j4" PKGDIR="/mnt/win_h/portage-pkg" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 3dnow 7zip X aac aalib acpi alsa apm avi bash-completion berkdb bitmap-fonts bonobo bzip2 bzlib cdr cpdflib crypt cups curl divx doc dvd dvdr dvdread eds emacs emboss encode ethereal exif fam firefox flac flash flatfile fontserver foomaticdb fortran ftp gcj gd gdbm gif gimpprint gnome gpm gstreamer gtk gtk2 gtkhtml guile hal iconv icq imagemagick imlib ipv6 jabber java jpeg libg++ libwww mad mikmod ming mmx mmxext mng motif mozilla mozsvg mp3 mpeg mule ncurses nls nptl ogg oggvorbis opengl oscar pam pcre pda pdflib perl php plotutils plugin png pnp posix ppds python quicktime readline samba sdl sockets spell sqlite sse ssl svg tcltk tcpd tetex theora tiff truetype truetype-fonts type1-fonts usb vorbis wmf x xine xml xml2 xmms xosd xpm xv xvid zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LDFLAGS, LINGUAS
openvpn-2.0.2-r1 reports these ciphers are being emerged against openssl-0.9.7e-r2 DES-CBC 64 bit default key (fixed) IDEA-CBC 128 bit default key (fixed) RC2-CBC 128 bit default key (variable) DES-EDE-CBC 128 bit default key (fixed) DES-EDE3-CBC 192 bit default key (fixed) DESX-CBC 192 bit default key (fixed) BF-CBC 128 bit default key (variable) RC2-40-CBC 40 bit default key (variable) CAST5-CBC 128 bit default key (variable) RC5-CBC 128 bit default key (variable) RC2-64-CBC 64 bit default key (variable) AES-128-CBC 128 bit default key (fixed) AES-192-CBC 192 bit default key (fixed) AES-256-CBC 256 bit default key (fixed)
*** Bug 112865 has been marked as a duplicate of this bug. ***
Reopen wrt Bug 112865. This bug is not about openssl-0.9.7e; it fails with >=0.9.7g
openvpn-2.0.5-r2 reports the correct ciphers built against openssl-0.9.7i
After I installed openssl-0.9.7i on both machines and restarted, openvpn-2.0.5-r2 was unable to connect. I recompiled openvpn on the fast machine and got a smaller list of ciphers: DES-CBC 64 bit default key (fixed) IDEA-CBC 128 bit default key (fixed) RC2-CBC 128 bit default key (variable) DES-EDE3-CBC 192 bit default key (fixed) AES-128-CBC 128 bit default key (fixed) AES-192-CBC 192 bit default key (fixed) AES-256-CBC 256 bit default key (fixed) This version connects to the slow openvpn server successfully. The slow server still has the full list of ciphers. I know this is not complete information, but my guess is that openvpn won't build blowfish against openssl-0.9.7i, and if compiled against an older openssl, its blowfish won't work with openssl-0.9.7i. If you really BUILT openvpn-2.0.5 against openssl-0.9.7i and got all ciphers, there must be something else involved...
(In reply to comment #4) > openvpn-2.0.5-r2 reports the correct ciphers built against openssl-0.9.7i > Update: on a third machine, it works for me too (but I didn't try to connect)
I still have this bug openvpn-2.0.5-r2 against openssl-0.9.7i missing the BF-CRC cipher arch is x86 there was a work around on the forum that is didn't happen with 0.9.7e-r2 but the compile fails.