You are not logged in.
- Topics: Active | Unanswered
#1 2022-11-09 09:31:51
- rgzfxf6bhu
- Member
- Registered: 2015-10-30
- Posts: 100
[SOLVED] OpenVPN - How to allow too weak certificate?
Since OpenVPN 2.5.8 and OpenSSL 3.0.7 I cannot connect to the VPN of my university anymore. (Similar to https://bbs.archlinux.org/viewtopic.php?id=281109 and https://bbs.archlinux.org/viewtopic.php?id=281086)
Sure using newer certificates would help, but as you probably all know getting bureaucratic organizations like universities to use newer certificates is near impossible. So is there a way how to get OpenVPN working with the same certificates again?
nm-openvpn: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
nm-openvpn: OpenVPN 2.5.8 [git:makepkg/0357ceb877687faa+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2022
nm-openvpn: library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
nm-openvpn: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
nm-openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]***
nm-openvpn: Attempting to establish TCP connection with [AF_INET]*** [nonblock]
nm-openvpn: TCP connection established with [AF_INET]***
nm-openvpn: TCP_CLIENT link local: (not bound)
nm-openvpn: TCP_CLIENT link remote: [AF_INET]***
nm-openvpn: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
nm-openvpn: VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: ***
nm-openvpn: OpenSSL: error:0A000086:SSL routines::certificate verify failed
nm-openvpn: TLS_ERROR: BIO read tls_read_plaintext error
nm-openvpn: TLS Error: TLS object -> incoming plaintext read error
nm-openvpn: TLS Error: TLS handshake failed
nm-openvpn: Fatal TLS error (check_tls_errors_co), restarting
nm-openvpn: SIGUSR1[soft,tls-error] received, process restartingLast edited by rgzfxf6bhu (2022-11-09 11:11:01)
Offline
#2 2022-11-09 09:47:48
- Awebb
- Member
- Registered: 2010-05-06
- Posts: 6,688
Re: [SOLVED] OpenVPN - How to allow too weak certificate?
I googled your error message and got plenty of results. tls-cipher...SECLEVEL?
Offline
#3 2022-11-09 11:10:33
- rgzfxf6bhu
- Member
- Registered: 2015-10-30
- Posts: 100
Re: [SOLVED] OpenVPN - How to allow too weak certificate?
Thanks, I googled it before too but somehow I didn't get it working. Now it works:
Adding following in /etc/NetworkManager/system-connections/vpn.nmconnection and after rebooting it works:
tls-cipher=DEFAULT:@SECLEVEL=0Thought I tried that already 
Offline
#4 2022-11-09 12:18:14
- Awebb
- Member
- Registered: 2010-05-06
- Posts: 6,688
Re: [SOLVED] OpenVPN - How to allow too weak certificate?
Please note that this is a quick and dirty workaround with several security implications.
Offline
#5 2022-11-09 15:43:16
- rgzfxf6bhu
- Member
- Registered: 2015-10-30
- Posts: 100
Re: [SOLVED] OpenVPN - How to allow too weak certificate?
Sure, but as far as I understand is that I cannot change it. The university would need to provide new certificates, right?
Offline
#6 2022-11-09 16:21:58
- Awebb
- Member
- Registered: 2010-05-06
- Posts: 6,688
Re: [SOLVED] OpenVPN - How to allow too weak certificate?
Yes, that's correct. Bureaucracy can be quite the hostage situation.
Offline