Public bug reported: After upgrading openssl on my Focal-install this morning (upgrade openssl:amd64 1.1.1d-2ubuntu3 1.1.1d-2ubuntu6 per /var/log/dpkg.log), my OpenVPN tunnel refuses to connect to our corporate VPN (from /var/log/syslog):
corp-laptop nm-openvpn[4688]: VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=DK, ST=None, L=Copenhagen, O=XX, OU=XX, CN=XX, emailAddress=XX corp-laptop nm-openvpn[4688]: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed I'm told we're running a SHA1-signed CA, which we're guessing has been deprecated somewhere between -2ubuntu3 and -2ubuntu6. The changelog for -2ubuntu4 mentions importing some upstream changes, but isn't more specific than that: https://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1 .1d-2ubuntu4/changelog As a work-around, the internet suggests two work-arounds (neither of which has worked for me): 1) Adding the following to /etc/defaults/openssl: OPTARGS="--tls-cipher DEFAULT:@SECLEVEL=0" 2) Adding the following to /etc/ssl/openssl.conf: CipherString = :@SECLEVEL=1 I also tried rolling back the package, but the old version doesn't seem to be available: $ sudo apt install openssl=1.1.1d-2ubuntu3 ... E: Version '1.1.1d-2ubuntu3' for 'openssl' was not found I am no SSL-expert and would appreciate any pointers to get around this. (Our network-dept. does not have the bandwidth to roll over our CA on short notice, so I will need some other way to move ahead). ** Affects: openssl (Ubuntu) Importance: Undecided Status: New ** Tags: openvpn sha1 ** Tags added: openvpn ** Tags added: sha1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866611 Title: OpenVPN w. SHA1 signed CA broken after upgrade to 1.1.1d-2ubuntu6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1866611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
