Private Internet Access ovpn files not working with OpenSSL-3.3.0.

[mdinslage]

I apologize in advance if this is not the correct place to report this issue. I am using Slackware-current and I about two weeks ago I noticed that my private internet access VPN would not connect using openvpn. After some digging I was able to confirm that the problem is being caused by openssl-3.3.0. Downgrading openssl to 3.2.1 fixes the problem and PIA starts working again. Here is some log output, if anyone has an ideas on how to fix this please let me know.

Thanks.

 openvpn PIA.us.chicago.ovpn 
2024-04-29 14:42:35 DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2024-04-29 14:42:35 OpenVPN 2.6.10 x86_64-slackware-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-04-29 14:42:35 library versions: OpenSSL 3.3.0 9 Apr 2024, LZO 2.10
Enter Auth Username:p08*****
Enter Auth Password:
2024-04-29 14:42:56 OpenSSL: error:068000E9:asn1 encoding routines::utctime is too short:
2024-04-29 14:42:56 OpenSSL: error:0688010A:asn1 encoding routines::nested asn1 error:Field=revocationDate, Type=X509_REVOKED
2024-04-29 14:42:56 OpenSSL: error:0688010A:asn1 encoding routines::nested asn1 error:Field=revoked, Type=X509_CRL_INFO
2024-04-29 14:42:56 OpenSSL: error:0688010A:asn1 encoding routines::nested asn1 error:Field=crl, Type=X509_CRL
2024-04-29 14:42:56 OpenSSL: error:0488000D:PEM routines::ASN1 lib:
2024-04-29 14:42:56 CRL: cannot read CRL from file [[INLINE]]
2024-04-29 14:42:56 CRL: loaded 0 CRLs from file -----BEGIN X509 CRL-----
MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
-----END X509 CRL-----

2024-04-29 14:42:56 TCP/UDP: Preserving recently used remote address: [AF_INET]181.214.165.174:1198
2024-04-29 14:42:56 UDPv4 link local: (not bound)
2024-04-29 14:42:56 UDPv4 link remote: [AF_INET]181.214.165.174:1198
2024-04-29 14:42:56 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-04-29 14:42:56 VERIFY ERROR: CRL not loaded
2024-04-29 14:42:56 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-04-29 14:42:56 TLS_ERROR: BIO read tls_read_plaintext error
2024-04-29 14:42:56 TLS Error: TLS object -> incoming plaintext read error
2024-04-29 14:42:56 TLS Error: TLS handshake failed
2024-04-29 14:42:56 SIGUSR1[soft,tls-error] received, process restarting
2024-04-29 14:42:57 TCP/UDP: Preserving recently used remote address: [AF_INET]181.214.165.146:1198
2024-04-29 14:42:57 UDPv4 link local: (not bound)
2024-04-29 14:42:57 UDPv4 link remote: [AF_INET]181.214.165.146:1198
2024-04-29 14:42:57 VERIFY ERROR: CRL not loaded
2024-04-29 14:42:57 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-04-29 14:42:57 TLS_ERROR: BIO read tls_read_plaintext error
2024-04-29 14:42:57 TLS Error: TLS object -> incoming plaintext read error
2024-04-29 14:42:57 TLS Error: TLS handshake failed
2024-04-29 14:42:57 SIGUSR1[soft,tls-error] received, process restarting
2024-04-29 14:42:58 TCP/UDP: Preserving recently used remote address: [AF_INET]181.214.165.9:1198
2024-04-29 14:42:58 UDPv4 link local: (not bound)
2024-04-29 14:42:58 UDPv4 link remote: [AF_INET]181.214.165.9:1198
2024-04-29 14:42:59 VERIFY ERROR: CRL not loaded
2024-04-29 14:42:59 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-04-29 14:42:59 TLS_ERROR: BIO read tls_read_plaintext error
2024-04-29 14:42:59 TLS Error: TLS object -> incoming plaintext read error
2024-04-29 14:42:59 TLS Error: TLS handshake failed
2024-04-29 14:42:59 SIGUSR1[soft,tls-error] received, process restarting
2024-04-29 14:43:00 TCP/UDP: Preserving recently used remote address: [AF_INET]181.214.165.146:1198
2024-04-29 14:43:00 UDPv4 link local: (not bound)
2024-04-29 14:43:00 UDPv4 link remote: [AF_INET]181.214.165.146:1198
2024-04-29 14:43:00 VERIFY ERROR: CRL not loaded
2024-04-29 14:43:00 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-04-29 14:43:00 TLS_ERROR: BIO read tls_read_plaintext error
2024-04-29 14:43:00 TLS Error: TLS object -> incoming plaintext read error
2024-04-29 14:43:00 TLS Error: TLS handshake failed
2024-04-29 14:43:00 SIGUSR1[soft,tls-error] received, process restarting
2024-04-29 14:43:01 TCP/UDP: Preserving recently used remote address: [AF_INET]181.214.165.9:1198
2024-04-29 14:43:01 UDPv4 link local: (not bound)
2024-04-29 14:43:01 UDPv4 link remote: [AF_INET]181.214.165.9:1198
2024-04-29 14:43:01 VERIFY ERROR: CRL not loaded
2024-04-29 14:43:01 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-04-29 14:43:01 TLS_ERROR: BIO read tls_read_plaintext error
2024-04-29 14:43:01 TLS Error: TLS object -> incoming plaintext read error
2024-04-29 14:43:01 TLS Error: TLS handshake failed
2024-04-29 14:43:01 SIGUSR1[soft,tls-error] received, process restarting
2024-04-29 14:43:02 TCP/UDP: Preserving recently used remote address: [AF_INET]181.214.165.174:1198
2024-04-29 14:43:02 UDPv4 link local: (not bound)
2024-04-29 14:43:02 UDPv4 link remote: [AF_INET]181.214.165.174:1198
2024-04-29 14:43:02 VERIFY ERROR: CRL not loaded
2024-04-29 14:43:02 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-04-29 14:43:02 TLS_ERROR: BIO read tls_read_plaintext error
2024-04-29 14:43:02 TLS Error: TLS object -> incoming plaintext read error
2024-04-29 14:43:02 TLS Error: TLS handshake failed
2024-04-29 14:43:02 SIGUSR1[soft,tls-error] received, process restarting
2024-04-29 14:43:03 TCP/UDP: Preserving recently used remote address: [AF_INET]181.214.165.146:1198
2024-04-29 14:43:03 UDPv4 link local: (not bound)
2024-04-29 14:43:03 UDPv4 link remote: [AF_INET]181.214.165.146:1198
2024-04-29 14:43:03 VERIFY ERROR: CRL not loaded
2024-04-29 14:43:03 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-04-29 14:43:03 TLS_ERROR: BIO read tls_read_plaintext error
2024-04-29 14:43:03 TLS Error: TLS object -> incoming plaintext read error
2024-04-29 14:43:03 TLS Error: TLS handshake failed
2024-04-29 14:43:03 SIGUSR1[soft,tls-error] received, process restarting
2024-04-29 14:43:04 TCP/UDP: Preserving recently used remote address: [AF_INET]181.214.165.174:1198
2024-04-29 14:43:04 UDPv4 link local: (not bound)
2024-04-29 14:43:04 UDPv4 link remote: [AF_INET]181.214.165.174:1198
2024-04-29 14:43:04 VERIFY ERROR: CRL not loaded
2024-04-29 14:43:04 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-04-29 14:43:04 TLS_ERROR: BIO read tls_read_plaintext error
2024-04-29 14:43:04 TLS Error: TLS object -> incoming plaintext read error
2024-04-29 14:43:04 TLS Error: TLS handshake failed
2024-04-29 14:43:04 SIGUSR1[soft,tls-error] received, process restarting
2024-04-29 14:43:05 TCP/UDP: Preserving recently used remote address: [AF_INET]181.214.165.9:1198
2024-04-29 14:43:05 UDPv4 link local: (not bound)
2024-04-29 14:43:05 UDPv4 link remote: [AF_INET]181.214.165.9:1198
2024-04-29 14:43:06 VERIFY ERROR: CRL not loaded
2024-04-29 14:43:06 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-04-29 14:43:06 TLS_ERROR: BIO read tls_read_plaintext error
2024-04-29 14:43:06 TLS Error: TLS object -> incoming plaintext read error
2024-04-29 14:43:06 TLS Error: TLS handshake failed
2024-04-29 14:43:06 SIGUSR1[soft,tls-error] received, process restarting
2024-04-29 14:43:07 TCP/UDP: Preserving recently used remote address: [AF_INET]181.214.165.174:1198
2024-04-29 14:43:07 UDPv4 link local: (not bound)
2024-04-29 14:43:07 UDPv4 link remote: [AF_INET]181.214.165.174:1198
2024-04-29 14:43:07 VERIFY ERROR: CRL not loaded

2024-04-29 14:43:07 OpenSSL: error:0A000086:SSL routines::certificate verify failed:

[t8m]

The CRL that is being loaded is malformed. It contains malformed revocation dates for 2 certificates. If there is some way how to disable the CRL processing in the VPN client, it might help as a workaround. A proper fix would have to be done by the certificate authority that issued the CRL - i.e., fix it so the revocation dates are proper.

[t8m]

The difference between 3.3.0 and 3.2.x is that 3.3.0 rejects the invalid dates already when loading the CRL where 3.2.x just ignores the malformed entries.

[mdinslage]

Thank you for the reply. So basically I need to contact Private Internet Access and tell them to fix their .ovpn files?

[t8m]

Yeah well, not .ovpn files in particular but the CRL that is provided by their private CA.

[SirTremain]

A workaround from this reddit post worked for me. It involves manually editing the .ovpn file to change the verification of the date.

[mdinslage]

Thank you, I started doing this a few days ago and it does work as a workaround, but I wasn't sure if there were any security implications from removing the section.

[UninspiredENVY]

I would also like to know if there are any security issues with doing this.

[Tassadar102]

As of this posting I am still experiencing the issue with the crl file. Customer service didn't really have an answer for me when I emailed them but they did let me know that the issue is on their radar and they're trying to find a fix. For now, I've been able to switch over to wireguard using the manual_connections scripts provided by PIA on their foss GitHub. Fingers crossed they get this sorted out soon.