Digital Envelope Routines:Unsupported
There are many reasons why you may experience the digital envelope routines::unsupported error when using OpenSSL, including out-of-date installations and damaged certificate or key files. This article will discuss some of these issues and provide a few solutions to help you fix the problem. We hope you find this article helpful!
Encryption methods
Using the right encryption algorithms can protect your data from unauthorized interception, including malicious hackers, malware and unscrupulous service providers. The gist of it all is that a little bit of effort goes a long way in keeping your Google Cloud powered assets safe. From our bare metal VM to our sexiest GFE, we make it a point to use the latest and greatest technologies available, including TLS and its many variants to keep your data churning. In addition to the big daddy of all encryption methods, we offer you a host of other security related services to boot. In short, if you’re not taking advantage of the latest and greatest, your business will soon be left behind.
Out-of-date OpenSSL installations
If you run a network of computers that use Windows, or that use software such as web servers or email clients that rely on OpenSSL libraries, then you’ll need to be on the lookout for out-of-date installations. You’ll also need to be aware of which products you’ve installed that bring their own versions of OpenSSL to the table.
Some OpenSSL versions are out of support and no longer receive patches from OpenSSL Software Services. This is bad news for sysadmins and SecOps teams who want to be sure that their servers are protected from vulnerabilities.
For example, the Heartbleed bug was a serious data leakage issue in OpenSSL that could be exploited by any client browsing the web. This triggered a lot of attention from hackers and troublemakers around the world, and resulted in embarrassment or worse for companies that had left vulnerable servers unpatched.
A similar problem with OpenSSL is that it’s possible to trigger an attack where the ciphersuite used on a TLS connection has padding or MACs that differ from those used by the remote peer. The attacker’s client will then respond differently to the server based on this information and potentially decrypt the communication.
This can be exploited by a malicious CA to silently assert invalid certificate policies on leaf certificates. This is because when a client or server attempts to verify a certificate, OpenSSL will not check for this unless the X509_V_FLAG_X509_STRICT verification flag has been set and an application overrides this value with its own purpose.
It’s likely that this issue will affect only TLS connections using ciphersuites that don’t have this feature, so users should upgrade to versions of OpenSSL that do have it. A patch will be included in the next OpenSSL release.
Another potential vulnerability is in the way that OpenSSL handles GENERAL_NAMEs. This issue is related to the handling of the EDIPARTYNAME name type, and can lead to a NULL pointer dereference when comparing different instances of GENERAL_NAME. This can be exploited to crash a client or server that uses this name type in the GENERAL_NAME.
Damaged certificate or key files
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are critical technologies for encrypting messages between servers and clients over the Internet. However, they can sometimes suffer from stumbling blocks that interfere with their performance. One such issue is error:0308010c:digital envelope routines::unsupported, which can be caused by a number of factors including out-of-date OpenSSL installations and damaged certificate or key files. In this article, we’ll take a closer look at this error and offer practical solutions to help you get back on track.
Digital certificates and key files are files that contain the identity, public keys, expiry dates, and digital signatures of a certificate holder. This information allows a recipient to verify the validity of a digital certificate and ensure that the message has not changed since it was sent.
Unsupported encryption method
When a digital envelope routine uses an encryption method that OpenSSL does not support, you will see the error code “0308010c:digital envelope routines::unsupported”. This error occurs when OpenSSL encounters a digital certificate or key file for which it does not understand the encryption algorithm. This can happen for a number of reasons, including using an unsupported encryption method, having an outdated version of OpenSSL installed, or having damaged certificate or key files. It is important to identify and resolve these issues quickly. Fortunately, there are many solutions for this problem. Here is a look at some of the most common causes of this error and how to fix them.
