Adding following in /etc/NetworkManager/system-connections/vpn.nmconnection and after rebooting it works:
tls-cipher=DEFAULT:@SECLEVEL=0
Thought I tried that already
]]>Sure using newer certificates would help, but as you probably all know getting bureaucratic organizations like universities to use newer certificates is near impossible. So is there a way how to get OpenVPN working with the same certificates again?
nm-openvpn: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
nm-openvpn: OpenVPN 2.5.8 [git:makepkg/0357ceb877687faa+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2022
nm-openvpn: library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
nm-openvpn: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
nm-openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]***
nm-openvpn: Attempting to establish TCP connection with [AF_INET]*** [nonblock]
nm-openvpn: TCP connection established with [AF_INET]***
nm-openvpn: TCP_CLIENT link local: (not bound)
nm-openvpn: TCP_CLIENT link remote: [AF_INET]***
nm-openvpn: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
nm-openvpn: VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: ***
nm-openvpn: OpenSSL: error:0A000086:SSL routines::certificate verify failed
nm-openvpn: TLS_ERROR: BIO read tls_read_plaintext error
nm-openvpn: TLS Error: TLS object -> incoming plaintext read error
nm-openvpn: TLS Error: TLS handshake failed
nm-openvpn: Fatal TLS error (check_tls_errors_co), restarting
nm-openvpn: SIGUSR1[soft,tls-error] received, process restarting