With openssl 1.1.1f-1ubuntu1 Qvpn from Qnap works again, so this bug can be closed IMHO.
Neverthertheless I would prefer companies/producers of VPN solutions fix and update their signatures (shouldn't be a rocket-science). In my company I stay with PiVPN (instead of QVNP) seems more secure, faster, and runs independend on its own device. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1866611 Title: OpenVPN w. SHA1 signed CA broken after upgrade to 1.1.1d-2ubuntu6 Status in openssl package in Ubuntu: Confirmed Bug description: After upgrading openssl on my Focal-install this morning (upgrade openssl:amd64 1.1.1d-2ubuntu3 1.1.1d-2ubuntu6 per /var/log/dpkg.log), my OpenVPN tunnel refuses to connect to our corporate VPN (from /var/log/syslog): corp-laptop nm-openvpn[4688]: VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=DK, ST=None, L=Copenhagen, O=XX, OU=XX, CN=XX, emailAddress=XX corp-laptop nm-openvpn[4688]: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed I'm told we're running a SHA1-signed CA, which we're guessing has been deprecated somewhere between -2ubuntu3 and -2ubuntu6. The changelog for -2ubuntu4 mentions importing some upstream changes, but isn't more specific than that: https://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1 .1d-2ubuntu4/changelog As a work-around, the internet suggests two work-arounds (neither of which has worked for me): 1) Adding the following to /etc/defaults/openssl: OPTARGS="--tls-cipher DEFAULT:@SECLEVEL=0" 2) Adding the following to /etc/ssl/openssl.conf: CipherString = :@SECLEVEL=1 I also tried rolling back the package, but the old version doesn't seem to be available: $ sudo apt install openssl=1.1.1d-2ubuntu3 ... E: Version '1.1.1d-2ubuntu3' for 'openssl' was not found I am no SSL-expert and would appreciate any pointers to get around this. (Our network-dept. does not have the bandwidth to roll over our CA on short notice, so I will need some other way to move ahead). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1866611/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
