Delivering IT Solutions since 2005

View Our Services

Windows 11 cannot connect OpenVPN error “Legacy renegotiation disabled” (FIXED)

If you have recently installed the latest Windows version of OpenVPN connect (version 3.4 onwards), you might encounter a problem where a connection cannot be established, and in the logs, you will see cryptic errors such as "OpenSSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled".

Error messages

2023-11-03 10:52:39 OpenVPN 2.6.6 [git:v2.6.6/c9540130121bfc21] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Aug 15 2023
2023-11-03 10:52:39 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-11-03 10:52:39 library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.10
2023-11-03 10:52:39 DCO version: v0
2023-11-03 10:52:41 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-11-03 10:52:41 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.100:1194
2023-11-03 10:52:41 ovpn-dco device [OpenVPN Data Channel Offload] opened
2023-11-03 10:52:41 UDP link local: (not bound)
2023-11-03 10:52:41 UDP link remote: [AF_INET]192.168.1.100:1194
2023-11-03 10:52:41 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-11-03 10:52:41 OpenSSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled:
2023-11-03 10:52:41 TLS_ERROR: BIO read tls_read_plaintext error
2023-11-03 10:52:41 TLS Error: TLS object -> incoming plaintext read error
2023-11-03 10:52:41 TLS Error: TLS handshake failed
2023-11-03 10:52:41 SIGUSR1[soft,tls-error] received, process restarting
2023-11-03 10:52:43 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-11-03 10:52:43 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.100:1194
2023-11-03 10:52:43 ovpn-dco device [OpenVPN Data Channel Offload] opened
2023-11-03 10:52:43 UDP link local: (not bound)
2023-11-03 10:52:43 UDP link remote: [AF_INET]192.168.1.100:1194
2023-11-03 10:52:43 OpenSSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled:
2023-11-03 10:52:43 TLS_ERROR: BIO read tls_read_plaintext error
2023-11-03 10:52:43 TLS Error: TLS object -> incoming plaintext read error
2023-11-03 10:52:43 TLS Error: TLS handshake failed
2023-11-03 10:52:43 SIGUSR1[soft,tls-error] received, process restarting
2023-11-03 10:52:44 SIGTERM[hard,init_instance] received, process exiting

The cause?

According to the OpenVPN Connect release notes and change log, from version 3.4.0 onwards, the OpenSSL libery was switched to v3.0.8.

OpenSSL from version 3 changed a few default options, one of them being the setting for legacy server connect, making it disabled by default.

Many OpenVPN servers are running older versions of the OpenSSL library, therefore cannot perform secure renegotiation, and will fail to establish a secure connection with newer clients.

The solution

The good news is that the setting can be overridden, although we need to warn you… If you go ahead with this, you will be allowing Legacy Unsafe Renegotiation, therefore SSL connections could be vulnerable to a man-in-the-middle prefix attack as described in CVE-2009-3555.

If you’re happy to take the risk, read on.

  • you need to create an OpenSSL config file (openssl.cnf), containing the below:
openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyServerConnect

This file should be placed in your home directory. e.g. C:\Users\Richard\openssl.cnf

  • Update your USER environmental variables:
  • Via PowerShell:
    • From a powershell prompt, enter [environment]::SetEnvironmentVariable("OPENSSL_CONF","%USERPROFILE%\openssl.cnf","User")
  • or Via Control Panel
    • Press Win-X, or right-click start button
    • Select System
    • Advanced System Settings
    • Environment Variables
    • Under User variables, click New
    • Variable Name = OPENSSL_CONF
    • Variable Value = %USERPROFILE%\openssl.cnf" (Or the path to your openssl.cnf file created above)
  • Close and re-open the OpenVPN Connect. (or reboot)
  • Connect successfully!

Draytek Vigor problem

While I was trying to fix the above problem, I discovered another problem, related to the Draytek Vigor 2826, running the latest firmware version.

When you export the client configuration, it includes the ping-exit 60 line, which the newest OpenVPN Connect client does not like, and refuses to connect, simply remove that line before you import the profile.

Draytek Vigor with OpenVPN GUI (Not openvpn-connect)

If you use the OpenVPN GUI, available from Community Downloads, you may have other trouble too.

2023-11-06 16:05:28 DEPRECATED OPTION: --cipher set to 'aes-256-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2023-11-06 16:05:28 OpenVPN 2.6.6 [git:v2.6.6/c9540130121bfc21] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Aug 15 2023
2023-11-06 16:05:28 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-11-06 16:05:28 library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.10
2023-11-06 16:05:28 DCO version: v0
2023-11-06 16:05:44 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-11-06 16:05:44 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.100:1194
2023-11-06 16:05:44 ovpn-dco device [OpenVPN Data Channel Offload] opened
2023-11-06 16:05:44 UDP link local: (not bound)
2023-11-06 16:05:44 UDP link remote: [AF_INET]192.168.1.100:1194
2023-11-06 16:05:44 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-11-06 16:05:44 TLS ERROR: Unknown key_method/flags=95 received from remote host
2023-11-06 16:05:44 TLS Error: TLS handshake failed
2023-11-06 16:05:44 SIGUSR1[soft,tls-error] received, process restarting

If you specify the encryption to be AES256, the generated client configuration will include cipher aes-256-cbc, but when trying to connect, you might get an error stating TLS ERROR: Unknown key_method/flags=95 received from remote host and TLS Error: TLS handshake failed.

To fix this, simply add an extra line data-ciphers aes-256-cbc to the config.