Openvpn not connecting

Hi,
Since few days, I’m not able to connect openvpn using pcks11 and yubikey.

2024-11-20 11:34:24 Note: --data-ciphers-fallback with cipher ‘AES-256-CBC’ disables data channel offload.
2024-11-20 11:34:24 OpenVPN 2.6.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2024-11-20 11:34:24 library versions: OpenSSL 3.2.2 4 Jun 2024, LZO 2.10
2024-11-20 11:34:24 DCO version: N/A
2024-11-20 11:34:24 PKCS#11: Adding PKCS#11 provider ‘/usr/lib64/opensc-pkcs11.so’
2024-11-20 11:34:24 WARNING: No server certificate verification method has been enabled. See Guide To Set Up & Configure OpenVPN Client/Server VPN | OpenVPN for more info.
2024-11-20 11:34:24 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-11-20 11:34:24 TCP/UDP: Preserving recently used remote address: [AF_INET]1.2.3.4:1194
2024-11-20 11:34:24 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-11-20 11:34:24 UDPv4 link local: (not bound)
2024-11-20 11:34:24 UDPv4 link remote: [AF_INET]1.2.3.4:1194
2024-11-20 11:34:24 TLS: Initial packet from [AF_INET]1.2.3.4:1194, sid=0a0b0a15 e386f07a
2024-11-20 11:34:24 VERIFY OK: depth=1, C=FR, ST=France, L=XXX, O=XXX, CN=CA XXX
2024-11-20 11:34:24 VERIFY OK: depth=0, C=FR, ST=France, L=XXX, O=XXX, OU=R&D, CN=XXX, emailAddress=XXX

Connection stuck on this step, and restart in a loop. I tried on ubuntu with same Yubikey, same config file and it work.
I can’t found what’s wrong and why it doesn’t work on F41.

Openvpn version :

OpenVPN 2.6.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.2.2 4 Jun 2024, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=yes enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=yes enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no

You can increase log verbosity to get a better error message:
openvpn: Secure IP tunnel daemon | openvpn System Administration | Man Pages | ManKier

See also:
Changes/OpenSSLDistrustSHA1SigVer - Fedora Project Wiki

I switched to update-crypto-policies --set LEGACY already (and reboot) but I have the same issue.

Here the output with verb 5 :

2024-11-20 14:21:28 us=260752 Note: --data-ciphers-fallback with cipher 'AES-256-CBC' disables data channel offload.
2024-11-20 14:21:28 us=260900 Current Parameter Settings:
2024-11-20 14:21:28 us=260910   config = 'test.ovpn'
2024-11-20 14:21:28 us=260915   mode = 0
2024-11-20 14:21:28 us=260920   persist_config = DISABLED
2024-11-20 14:21:28 us=260924   persist_mode = 1
2024-11-20 14:21:28 us=260928   show_ciphers = DISABLED
2024-11-20 14:21:28 us=260932   show_digests = DISABLED
2024-11-20 14:21:28 us=260937   show_engines = DISABLED
2024-11-20 14:21:28 us=260941   genkey = DISABLED
2024-11-20 14:21:28 us=260945   genkey_filename = '[UNDEF]'
2024-11-20 14:21:28 us=260949   key_pass_file = '[UNDEF]'
2024-11-20 14:21:28 us=260954   show_tls_ciphers = DISABLED
2024-11-20 14:21:28 us=260959   connect_retry_max = 0
2024-11-20 14:21:28 us=260964 Connection profiles [0]:
2024-11-20 14:21:28 us=260971   proto = udp
2024-11-20 14:21:28 us=260975   local = '[UNDEF]'
2024-11-20 14:21:28 us=260980   local_port = '[UNDEF]'
2024-11-20 14:21:28 us=260985   remote = '1.2.3.4'
2024-11-20 14:21:28 us=260990   remote_port = '1194'
2024-11-20 14:21:28 us=260995   remote_float = DISABLED
2024-11-20 14:21:28 us=260999   bind_defined = DISABLED
2024-11-20 14:21:28 us=261004   bind_local = DISABLED
2024-11-20 14:21:28 us=261008   bind_ipv6_only = DISABLED
2024-11-20 14:21:28 us=261013   connect_retry_seconds = 1
2024-11-20 14:21:28 us=261018   connect_timeout = 120
2024-11-20 14:21:28 us=261023   socks_proxy_server = '[UNDEF]'
2024-11-20 14:21:28 us=261028   socks_proxy_port = '[UNDEF]'
2024-11-20 14:21:28 us=261032   tun_mtu = 1500
2024-11-20 14:21:28 us=261037   tun_mtu_defined = ENABLED
2024-11-20 14:21:28 us=261042   link_mtu = 1500
2024-11-20 14:21:28 us=261046   link_mtu_defined = DISABLED
2024-11-20 14:21:28 us=261051   tun_mtu_extra = 0
2024-11-20 14:21:28 us=261055   tun_mtu_extra_defined = DISABLED
2024-11-20 14:21:28 us=261060   tls_mtu = 1250
2024-11-20 14:21:28 us=261065   mtu_discover_type = -1
2024-11-20 14:21:28 us=261070   fragment = 0
2024-11-20 14:21:28 us=261074   mssfix = 1492
2024-11-20 14:21:28 us=261079   mssfix_encap = ENABLED
2024-11-20 14:21:28 us=261084   mssfix_fixed = DISABLED
2024-11-20 14:21:28 us=261091   explicit_exit_notification = 0
2024-11-20 14:21:28 us=261096   tls_auth_file = '[INLINE]'
2024-11-20 14:21:28 us=261101   key_direction = 1
2024-11-20 14:21:28 us=261106   tls_crypt_file = '[UNDEF]'
2024-11-20 14:21:28 us=261110   tls_crypt_v2_file = '[UNDEF]'
2024-11-20 14:21:28 us=261115 Connection profiles END
2024-11-20 14:21:28 us=261120   remote_random = DISABLED
2024-11-20 14:21:28 us=261125   ipchange = '[UNDEF]'
2024-11-20 14:21:28 us=261130   dev = 'tun'
2024-11-20 14:21:28 us=261135   dev_type = '[UNDEF]'
2024-11-20 14:21:28 us=261140   dev_node = '[UNDEF]'
2024-11-20 14:21:28 us=261144   tuntap_options.disable_dco = ENABLED
2024-11-20 14:21:28 us=261149   lladdr = '[UNDEF]'
2024-11-20 14:21:28 us=261154   topology = 1
2024-11-20 14:21:28 us=261159   ifconfig_local = '[UNDEF]'
2024-11-20 14:21:28 us=261163   ifconfig_remote_netmask = '[UNDEF]'
2024-11-20 14:21:28 us=261168   ifconfig_noexec = DISABLED
2024-11-20 14:21:28 us=261173   ifconfig_nowarn = DISABLED
2024-11-20 14:21:28 us=261177   ifconfig_ipv6_local = '[UNDEF]'
2024-11-20 14:21:28 us=261182   ifconfig_ipv6_netbits = 0
2024-11-20 14:21:28 us=261187   ifconfig_ipv6_remote = '[UNDEF]'
2024-11-20 14:21:28 us=261192   shaper = 0
2024-11-20 14:21:28 us=261196   mtu_test = 0
2024-11-20 14:21:28 us=261201   mlock = DISABLED
2024-11-20 14:21:28 us=261206   keepalive_ping = 0
2024-11-20 14:21:28 us=261210   keepalive_timeout = 0
2024-11-20 14:21:28 us=261215   inactivity_timeout = 0
2024-11-20 14:21:28 us=261220   session_timeout = 0
2024-11-20 14:21:28 us=261224   inactivity_minimum_bytes = 0
2024-11-20 14:21:28 us=261229   ping_send_timeout = 0
2024-11-20 14:21:28 us=261234   ping_rec_timeout = 0
2024-11-20 14:21:28 us=261238   ping_rec_timeout_action = 0
2024-11-20 14:21:28 us=261243   ping_timer_remote = DISABLED
2024-11-20 14:21:28 us=261248   remap_sigusr1 = 0
2024-11-20 14:21:28 us=261253   persist_tun = ENABLED
2024-11-20 14:21:28 us=261257   persist_local_ip = DISABLED
2024-11-20 14:21:28 us=261262   persist_remote_ip = DISABLED
2024-11-20 14:21:28 us=261267   persist_key = ENABLED
2024-11-20 14:21:28 us=261271   passtos = DISABLED
2024-11-20 14:21:28 us=261276   resolve_retry_seconds = 1000000000
2024-11-20 14:21:28 us=261281   resolve_in_advance = DISABLED
2024-11-20 14:21:28 us=261286   username = '[UNDEF]'
2024-11-20 14:21:28 us=261290   groupname = '[UNDEF]'
2024-11-20 14:21:28 us=261295   chroot_dir = '[UNDEF]'
2024-11-20 14:21:28 us=261300   cd_dir = '[UNDEF]'
2024-11-20 14:21:28 us=261304   selinux_context = '[UNDEF]'
2024-11-20 14:21:28 us=261309   writepid = '[UNDEF]'
2024-11-20 14:21:28 us=261313   up_script = '/etc/openvpn/update-resolv-conf'
2024-11-20 14:21:28 us=261318   down_script = '/etc/openvpn/update-resolv-conf'
2024-11-20 14:21:28 us=261323   down_pre = ENABLED
2024-11-20 14:21:28 us=261327   up_restart = ENABLED
2024-11-20 14:21:28 us=261332   up_delay = DISABLED
2024-11-20 14:21:28 us=261337   daemon = DISABLED
2024-11-20 14:21:28 us=261341   log = DISABLED
2024-11-20 14:21:28 us=261346   suppress_timestamps = DISABLED
2024-11-20 14:21:28 us=261351   machine_readable_output = DISABLED
2024-11-20 14:21:28 us=261356   nice = 0
2024-11-20 14:21:28 us=261361   verbosity = 5
2024-11-20 14:21:28 us=261366   mute = 0
2024-11-20 14:21:28 us=261370   gremlin = 0
2024-11-20 14:21:28 us=261375   status_file = '[UNDEF]'
2024-11-20 14:21:28 us=261380   status_file_version = 1
2024-11-20 14:21:28 us=261385   status_file_update_freq = 60
2024-11-20 14:21:28 us=261389   occ = ENABLED
2024-11-20 14:21:28 us=261394   rcvbuf = 0
2024-11-20 14:21:28 us=261399   sndbuf = 0
2024-11-20 14:21:28 us=261404   mark = 0
2024-11-20 14:21:28 us=261408   sockflags = 0
2024-11-20 14:21:28 us=261413   fast_io = DISABLED
2024-11-20 14:21:28 us=261418   comp.alg = 0
2024-11-20 14:21:28 us=261422   comp.flags = 24
2024-11-20 14:21:28 us=261427   route_script = '[UNDEF]'
2024-11-20 14:21:28 us=261432   route_default_gateway = '[UNDEF]'
2024-11-20 14:21:28 us=261437   route_default_metric = 0
2024-11-20 14:21:28 us=261441   route_noexec = DISABLED
2024-11-20 14:21:28 us=261446   route_delay = 0
2024-11-20 14:21:28 us=261451   route_delay_window = 30
2024-11-20 14:21:28 us=261455   route_delay_defined = DISABLED
2024-11-20 14:21:28 us=261460   route_nopull = DISABLED
2024-11-20 14:21:28 us=261465   route_gateway_via_dhcp = DISABLED
2024-11-20 14:21:28 us=261470   allow_pull_fqdn = DISABLED
2024-11-20 14:21:28 us=261475   management_addr = '[UNDEF]'
2024-11-20 14:21:28 us=261480   management_port = '[UNDEF]'
2024-11-20 14:21:28 us=261485   management_user_pass = '[UNDEF]'
2024-11-20 14:21:28 us=261489   management_log_history_cache = 250
2024-11-20 14:21:28 us=261494   management_echo_buffer_size = 100
2024-11-20 14:21:28 us=261499   management_client_user = '[UNDEF]'
2024-11-20 14:21:28 us=261504   management_client_group = '[UNDEF]'
2024-11-20 14:21:28 us=261509   management_flags = 0
2024-11-20 14:21:28 us=261514   shared_secret_file = '[UNDEF]'
2024-11-20 14:21:28 us=261519   key_direction = 1
2024-11-20 14:21:28 us=261524   ciphername = 'AES-256-CBC'
2024-11-20 14:21:28 us=261529   ncp_ciphers = 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305'
2024-11-20 14:21:28 us=261534   authname = 'SHA256'
2024-11-20 14:21:28 us=261539   engine = DISABLED
2024-11-20 14:21:28 us=261543   replay = ENABLED
2024-11-20 14:21:28 us=261548   mute_replay_warnings = DISABLED
2024-11-20 14:21:28 us=261553   replay_window = 64
2024-11-20 14:21:28 us=261557   replay_time = 15
2024-11-20 14:21:28 us=261562   packet_id_file = '[UNDEF]'
2024-11-20 14:21:28 us=261567   test_crypto = DISABLED
2024-11-20 14:21:28 us=261572   tls_server = DISABLED
2024-11-20 14:21:28 us=261576   tls_client = ENABLED
2024-11-20 14:21:28 us=261581   ca_file = '[INLINE]'
2024-11-20 14:21:28 us=261586   ca_path = '[UNDEF]'
2024-11-20 14:21:28 us=261591   dh_file = '[UNDEF]'
2024-11-20 14:21:28 us=261595   cert_file = '[UNDEF]'
2024-11-20 14:21:28 us=261600   extra_certs_file = '[UNDEF]'
2024-11-20 14:21:28 us=261605   priv_key_file = '[UNDEF]'
2024-11-20 14:21:28 us=261609   pkcs12_file = '[UNDEF]'
2024-11-20 14:21:28 us=261614   cipher_list = '[UNDEF]'
2024-11-20 14:21:28 us=261619   cipher_list_tls13 = '[UNDEF]'
2024-11-20 14:21:28 us=261624   tls_cert_profile = '[UNDEF]'
2024-11-20 14:21:28 us=261628   tls_verify = '[UNDEF]'
2024-11-20 14:21:28 us=261633   tls_export_peer_cert_dir = '[UNDEF]'
2024-11-20 14:21:28 us=261638   verify_x509_type = 0
2024-11-20 14:21:28 us=261643   verify_x509_name = '[UNDEF]'
2024-11-20 14:21:28 us=261647   crl_file = '[UNDEF]'
2024-11-20 14:21:28 us=261652   ns_cert_type = 0
2024-11-20 14:21:28 us=261657   remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261662   remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261667   remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261671   remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261676   remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261680   remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261685   remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261690   remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261694   remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261699   remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261704   remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261709   remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261713   remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261718   remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261722   remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261727   remote_cert_ku[i] = 0
2024-11-20 14:21:28 us=261732   remote_cert_eku = '[UNDEF]'
2024-11-20 14:21:28 us=261737   ssl_flags = 192
2024-11-20 14:21:28 us=261742   tls_timeout = 2
2024-11-20 14:21:28 us=261747   renegotiate_bytes = -1
2024-11-20 14:21:28 us=261751   renegotiate_packets = 0
2024-11-20 14:21:28 us=261756   renegotiate_seconds = 0
2024-11-20 14:21:28 us=261761   handshake_window = 60
2024-11-20 14:21:28 us=261766   transition_window = 3600
2024-11-20 14:21:28 us=261771   single_session = DISABLED
2024-11-20 14:21:28 us=261776   push_peer_info = DISABLED
2024-11-20 14:21:28 us=261780   tls_exit = DISABLED
2024-11-20 14:21:28 us=261785   tls_crypt_v2_metadata = '[UNDEF]'
2024-11-20 14:21:28 us=261794   pkcs11_providers = /usr/lib64/opensc-pkcs11.so
2024-11-20 14:21:28 us=261799   pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261823   pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261829   pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261834   pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261838   pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261843   pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261862   pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261867   pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261871   pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261876   pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261881   pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261886   pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261890   pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261895   pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261900   pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261905   pkcs11_protected_authentication = DISABLED
2024-11-20 14:21:28 us=261910   pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261915   pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261919   pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261924   pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261929   pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261934   pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261939   pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261944   pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261948   pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261953   pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261958   pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261963   pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261968   pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261973   pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261977   pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261982   pkcs11_private_mode = 00000000
2024-11-20 14:21:28 us=261987   pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=261992   pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=261996   pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262001   pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262006   pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262010   pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262015   pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262020   pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262024   pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262029   pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262034   pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262039   pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262044   pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262048   pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262053   pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262058   pkcs11_cert_private = DISABLED
2024-11-20 14:21:28 us=262062   pkcs11_pin_cache_period = -1
2024-11-20 14:21:28 us=262067   pkcs11_id = 'pkcs11:model=PKCS%2315%20emulated;token=goldeneye59;manufacturer=piv_II;serial=56bd4eb7cbc2f94b;id=%01'
2024-11-20 14:21:28 us=262073   pkcs11_id_management = DISABLED
2024-11-20 14:21:28 us=262081   server_network = 0.0.0.0
2024-11-20 14:21:28 us=262087   server_netmask = 0.0.0.0
2024-11-20 14:21:28 us=262092   server_network_ipv6 = ::
2024-11-20 14:21:28 us=262097   server_netbits_ipv6 = 0
2024-11-20 14:21:28 us=262102   server_bridge_ip = 0.0.0.0
2024-11-20 14:21:28 us=262107   server_bridge_netmask = 0.0.0.0
2024-11-20 14:21:28 us=262112   server_bridge_pool_start = 0.0.0.0
2024-11-20 14:21:28 us=262118   server_bridge_pool_end = 0.0.0.0
2024-11-20 14:21:28 us=262122   ifconfig_pool_defined = DISABLED
2024-11-20 14:21:28 us=262127   ifconfig_pool_start = 0.0.0.0
2024-11-20 14:21:28 us=262133   ifconfig_pool_end = 0.0.0.0
2024-11-20 14:21:28 us=262138   ifconfig_pool_netmask = 0.0.0.0
2024-11-20 14:21:28 us=262143   ifconfig_pool_persist_filename = '[UNDEF]'
2024-11-20 14:21:28 us=262148   ifconfig_pool_persist_refresh_freq = 600
2024-11-20 14:21:28 us=262153   ifconfig_ipv6_pool_defined = DISABLED
2024-11-20 14:21:28 us=262158   ifconfig_ipv6_pool_base = ::
2024-11-20 14:21:28 us=262163   ifconfig_ipv6_pool_netbits = 0
2024-11-20 14:21:28 us=262168   n_bcast_buf = 256
2024-11-20 14:21:28 us=262173   tcp_queue_limit = 64
2024-11-20 14:21:28 us=262178   real_hash_size = 256
2024-11-20 14:21:28 us=262183   virtual_hash_size = 256
2024-11-20 14:21:28 us=262188   client_connect_script = '[UNDEF]'
2024-11-20 14:21:28 us=262194   learn_address_script = '[UNDEF]'
2024-11-20 14:21:28 us=262200   client_disconnect_script = '[UNDEF]'
2024-11-20 14:21:28 us=262204   client_crresponse_script = '[UNDEF]'
2024-11-20 14:21:28 us=262209   client_config_dir = '[UNDEF]'
2024-11-20 14:21:28 us=262214   ccd_exclusive = DISABLED
2024-11-20 14:21:28 us=262219   tmp_dir = '/tmp'
2024-11-20 14:21:28 us=262223   push_ifconfig_defined = DISABLED
2024-11-20 14:21:28 us=262228   push_ifconfig_local = 0.0.0.0
2024-11-20 14:21:28 us=262233   push_ifconfig_remote_netmask = 0.0.0.0
2024-11-20 14:21:28 us=262238   push_ifconfig_ipv6_defined = DISABLED
2024-11-20 14:21:28 us=262243   push_ifconfig_ipv6_local = ::/0
2024-11-20 14:21:28 us=262248   push_ifconfig_ipv6_remote = ::
2024-11-20 14:21:28 us=262253   enable_c2c = DISABLED
2024-11-20 14:21:28 us=262257   duplicate_cn = DISABLED
2024-11-20 14:21:28 us=262262   cf_max = 0
2024-11-20 14:21:28 us=262267   cf_per = 0
2024-11-20 14:21:28 us=262272   cf_initial_max = 100
2024-11-20 14:21:28 us=262276   cf_initial_per = 10
2024-11-20 14:21:28 us=262281   max_clients = 1024
2024-11-20 14:21:28 us=262286   max_routes_per_client = 256
2024-11-20 14:21:28 us=262291   auth_user_pass_verify_script = '[UNDEF]'
2024-11-20 14:21:28 us=262295   auth_user_pass_verify_script_via_file = DISABLED
2024-11-20 14:21:28 us=262300   auth_token_generate = DISABLED
2024-11-20 14:21:28 us=262305   force_key_material_export = DISABLED
2024-11-20 14:21:28 us=262310   auth_token_lifetime = 0
2024-11-20 14:21:28 us=262315   auth_token_secret_file = '[UNDEF]'
2024-11-20 14:21:28 us=262319   port_share_host = '[UNDEF]'
2024-11-20 14:21:28 us=262324   port_share_port = '[UNDEF]'
2024-11-20 14:21:28 us=262329   vlan_tagging = DISABLED
2024-11-20 14:21:28 us=262334   vlan_accept = all
2024-11-20 14:21:28 us=262338   vlan_pvid = 1
2024-11-20 14:21:28 us=262343   client = ENABLED
2024-11-20 14:21:28 us=262347   pull = ENABLED
2024-11-20 14:21:28 us=262352   auth_user_pass_file = '[UNDEF]'
2024-11-20 14:21:28 us=262361 OpenVPN 2.6.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2024-11-20 14:21:28 us=262372 library versions: OpenSSL 3.2.2 4 Jun 2024, LZO 2.10
2024-11-20 14:21:28 us=262389 DCO version: N/A
2024-11-20 14:21:28 us=262435 PKCS#11: Adding PKCS#11 provider '/usr/lib64/opensc-pkcs11.so'
2024-11-20 14:21:28 us=293110 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2024-11-20 14:21:28 us=293140 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-11-20 14:21:28 us=302097 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2024-11-20 14:21:28 us=302118 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2024-11-20 14:21:28 us=302242 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2024-11-20 14:21:28 us=302267 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2024-11-20 14:21:28 us=302293 TCP/UDP: Preserving recently used remote address: [AF_INET]1.2.3.4:1194
2024-11-20 14:21:28 us=302570 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-11-20 14:21:28 us=302580 UDPv4 link local: (not bound)
2024-11-20 14:21:28 us=302586 UDPv4 link remote: [AF_INET]1.2.3.4:1194
WR2024-11-20 14:21:28 us=310616 TLS: Initial packet from [AF_INET]1.2.3.4:1194, sid=edebb44c 7a6620ab
WRWR2024-11-20 14:21:28 us=319882 VERIFY OK: depth=1, C=FR, ST=France, L=XXX, O=XXX, CN=CA XXX
2024-11-20 14:21:28 us=320045 VERIFY OK: depth=0, C=FR, ST=France, L=XXX, O=XXX, OU=XXX, CN=XXX, emailAddress=XXX
WRWWR2024-11-20 14:26:22 us=160853 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-11-20 14:22:32 us=160902 TLS Error: TLS handshake failed
2024-11-20 14:22:32 us=161257 TCP/UDP: Closing socket
2024-11-20 14:22:32 us=161339 SIGUSR1[soft,tls-error] received, process restarting
2024-11-20 14:22:32 us=161397 Restart pause, 1 second(s)

Check the output:

sudo nmap -sU -sV -p PORT HOST

See also:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

I already thought about it, with tcpdump, I have packets going in and out to my VPN server.

Just in case, I wiped all iptables rules, stopped docker, same issue…

On the same laptop, on a VM with ubuntu 24, it work, on fresh VM Fedora 41 : same issue.

Output of openvpn --version on ubuntu 24, same openvpn version, but different openssl version.

OpenVPN 2.6.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no

2326839 – Connection to WLAN networks that require login not possible anymore after update to pkcs11-provider-0:0.5-4.fc41.x86_64

2 Likes

You’re my new hero !

Downgrading pkcs11 provider solved the issue

dnf install pkcs11-provider-0.5-3.fc41

1 Like