When OpenSSL 3.0 was released, some outdated algorithms were moved into a separate module called the "legacy provider". The intention is to highlight weakened and old cryptographic methods and hopefully phasing them out quickly.
However, some of those algorithms are still being in use today and have been used in the past before they have been replaced by something newer. Using an OpenVPN client with OpenSSL 3.0 or newer will now result in certain connections no longer working as their certificates have been created with OpenSSL 1.1.1 or older which OpenSSL 3.0 or newer refuses to load.
You will notice this when OpenVPN fails very quickly before even attempting opening a connection logging these lines:
OpenSSL: error: 11800071:PKCS12 routines::mac verify failure
OpenSSL: error: 0308010C:digital envelope routines::unsupported
Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
This will quite likely suddenly show up after your OpenVPN client has been updated to use OpenSSL 3.0 or a newer release.
Although this problem is due to the changes in OpenSSL, things are better after IPFire - Core Update 175. In this release, certificates and keys will be created to be compatible with OpenSSL 3.0 and later which is why it is recommended to regenerate connections and re-importing them into the client.
Available Workarounds
If you cannot replace your connection, you can just re-import an existing one from an IPFire system that is at least on Core Update 175. If you prefer to make the change manually, you can add this line to your OpenVPN configuration file or (if your client allows) enable the legacy provider through ticking the appropriate checkbox:
providers legacy default
It is known that the following clients do not support enabling the legacy mode:
- NetworkManager (all releases)