error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Jan 16, 2017 3:44 am
error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]
if anyone can tell me how to solve this problem on iOS?
log:
error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]
log:
error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]
Where did you get your config file ?
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Jan 16, 2017 3:44 am
Re: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]
That is my company's openvpn config file, I used itunes send it to my iphone.TinCanTech wrote:Where did you get your config file ?
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]
Please post the config file here (remove the public name of your server)
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Jan 16, 2017 3:44 am
Re: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]
I can use this on my mac.TinCanTech wrote:Please post the config file here (remove the public name of your server)
client
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
;proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote XXX.XXX.XXX.XXX 80
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert XXX.crt
key XXX.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
cipher AES-256-CBC
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
;proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote XXX.XXX.XXX.XXX 80
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert XXX.crt
key XXX.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
cipher AES-256-CBC
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]
ven wrote:That is my company's openvpn config file, I used itunes send it to my iphone
I suggest you ask your company for an iphone compatible config.ven wrote:I can use this on my mac
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Jan 16, 2017 3:44 am
Re: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]
ok,thanksTinCanTech wrote:ven wrote:That is my company's openvpn config file, I used itunes send it to my iphoneI suggest you ask your company for an iphone compatible config.ven wrote:I can use this on my mac
-
- OpenVpn Newbie
- Posts: 3
- Joined: Thu Aug 10, 2017 11:16 am
Re: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]
I have exactly the same error when trying to connect to my VPN server on both the IOS and Android clients. Other clients (like OpenVPN for Android and openvpn on Linux) work fine with the same configuration and keys. So to my opinion the issue seems to be in the OpenVPN Connect client.
Herewith my error message from the logfile:
EVENT: CORE_ERROR PolarSSL: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]
I created my certificates with easy-rsa 3.0.1 (easy-rsa-3.0.1-2.fc26.noarch) and am running openvpn server 2.4.3 (openvpn-2.4.3-1.fc26.armv7hl).
Any suggestion on how to solve the error?
Herewith my error message from the logfile:
EVENT: CORE_ERROR PolarSSL: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]
I created my certificates with easy-rsa 3.0.1 (easy-rsa-3.0.1-2.fc26.noarch) and am running openvpn server 2.4.3 (openvpn-2.4.3-1.fc26.armv7hl).
Any suggestion on how to solve the error?
-
- OpenVpn Newbie
- Posts: 3
- Joined: Thu Aug 10, 2017 11:16 am
Re: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]
Some extra info. Problem exists in client because the error is thrown before setting up the connection, it does not reach the server. It seems the client cannot parse my private key:
Code: Select all
2017-08-10 15:43:34 ----- OpenVPN Start -----
OpenVPN core 3.1.2 ios arm64 64-bit built on Dec 5 2016 12:50:25
2017-08-10 15:43:34 Frame=512/2048/512 mssfix-ctrl=1250
2017-08-10 15:43:34 EVENT: CORE_ERROR PolarSSL: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]
2017-08-10 15:43:34 Raw stats on disconnect:
2017-08-10 15:43:34 Performance stats on disconnect:
CPU usage (microseconds): 3950
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2017-08-10 15:43:34 EVENT: DISCONNECT_PENDING
2017-08-10 15:43:34 ----- OpenVPN Stop -----
-
- OpenVpn Newbie
- Posts: 3
- Joined: Thu Aug 10, 2017 11:16 am
Re: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]
Found the root cause!
The issue was that the password protected private keyfile of the certificate started with:
instead of:
I solved this by changing the password with the easy-rsa tool:
Good luck for everyone facing the same issue!
The issue was that the password protected private keyfile of the certificate started with:
Code: Select all
-----BEGIN ENCRYPTED PRIVATE KEY-----
Code: Select all
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
Code: Select all
./easyrsa set-rsa-pass <filename_base>
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Aug 24, 2017 7:08 pm
Re: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]
I recently updated my PI and ran into the issue...
Client: iPhone 7 with IOS 11 and latest OpenVPN store app
Server: RasPi 3 with fully updated Stretch release and configured via piVPN script.
Test: encrypted key string replaced with RSA key 3rdes.
Result: connection changes to 'using external certificate' and is unable to connect.
Workaround: Reverted back to RasPI Jessie distribution and everything works again without issue.
Client: iPhone 7 with IOS 11 and latest OpenVPN store app
Server: RasPi 3 with fully updated Stretch release and configured via piVPN script.
Test: encrypted key string replaced with RSA key 3rdes.
Result: connection changes to 'using external certificate' and is unable to connect.
Workaround: Reverted back to RasPI Jessie distribution and everything works again without issue.