crypto_alg: SHA3-512: not found

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
Torsten Robitzki
OpenVpn Newbie
Posts: 2
Joined: Thu Aug 19, 2021 11:41 am

crypto_alg: SHA3-512: not found

Post by Torsten Robitzki » Thu Aug 19, 2021 11:43 am

Hi,
while importing an .OPVN profile given by a customer, I receive the error message: "crypto_alg: SHA3-512: not found". How would I add support for that hash function to OpenVPN and / or to my MacOS installation?

thanks in advance and best regards,

Torsten

Torsten Robitzki
OpenVpn Newbie
Posts: 2
Joined: Thu Aug 19, 2021 11:41 am

Re: crypto_alg: SHA3-512: not found

Post by Torsten Robitzki » Tue Aug 24, 2021 8:10 am

Looks like OpenVPN is based on openssl, which by default seems to be libressl on MaCOS. After installing openssl using brew, I see that openssl has the SHA3-512 algorithm. But I can't convince OpenVPN Connect to use that library.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: crypto_alg: SHA3-512: not found

Post by openvpn_inc » Mon Aug 30, 2021 12:12 pm

Hello,

OpenVPN Connect only supports the commonly used algorithms, not all that exist out there. SHA3 is not on that list, and probably won't be added either, because we're focusing more on AEAD ciphers which don't use the --auth directive. Simply put the signing/validating of packets is part of the AEAD type ciphers already and doesn't need to occur separately like with CBC ciphers. Connect tries to upgrade to using AEAD ciphers by default. If you see in the logs 'AES-256-GCM' for example as cipher being used, that's an AEAD type cipher.

It is also questionable how much use it is to use SHA3 over SHA1 for the purpose of signing/validating packets if you ignore the whole AEAD thing. It would severely negatively impact your speed at little to no additional benefit in regards to security.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply