You are not logged in.

#1 2022-11-09 09:31:51

rgzfxf6bhu
Member
Registered: 2015-10-30
Posts: 97

[SOLVED] OpenVPN - How to allow too weak certificate?

Since OpenVPN 2.5.8 and OpenSSL 3.0.7 I cannot connect to the VPN of my university anymore. (Similar to https://bbs.archlinux.org/viewtopic.php?id=281109 and https://bbs.archlinux.org/viewtopic.php?id=281086)

Sure using newer certificates would help, but as you probably all know getting bureaucratic organizations like universities to use newer certificates is near impossible. So is there a way how to get OpenVPN working with the same certificates again?

nm-openvpn: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
nm-openvpn: OpenVPN 2.5.8 [git:makepkg/0357ceb877687faa+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2022
nm-openvpn: library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
nm-openvpn: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
nm-openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]***
nm-openvpn: Attempting to establish TCP connection with [AF_INET]*** [nonblock]
nm-openvpn: TCP connection established with [AF_INET]***
nm-openvpn: TCP_CLIENT link local: (not bound)
nm-openvpn: TCP_CLIENT link remote: [AF_INET]***
nm-openvpn: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
nm-openvpn: VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: ***
nm-openvpn: OpenSSL: error:0A000086:SSL routines::certificate verify failed
nm-openvpn: TLS_ERROR: BIO read tls_read_plaintext error
nm-openvpn: TLS Error: TLS object -> incoming plaintext read error
nm-openvpn: TLS Error: TLS handshake failed
nm-openvpn: Fatal TLS error (check_tls_errors_co), restarting
nm-openvpn: SIGUSR1[soft,tls-error] received, process restarting

Last edited by rgzfxf6bhu (2022-11-09 11:11:01)

Offline

#2 2022-11-09 09:47:48

Awebb
Member
Registered: 2010-05-06
Posts: 6,048

Re: [SOLVED] OpenVPN - How to allow too weak certificate?

I googled your error message and got plenty of results. tls-cipher...SECLEVEL?

Offline

#3 2022-11-09 11:10:33

rgzfxf6bhu
Member
Registered: 2015-10-30
Posts: 97

Re: [SOLVED] OpenVPN - How to allow too weak certificate?

Thanks, I googled it before too but somehow I didn't get it working. Now it works:

Adding following in /etc/NetworkManager/system-connections/vpn.nmconnection and after rebooting it works:

tls-cipher=DEFAULT:@SECLEVEL=0

Thought I tried that already hmm

Offline

#4 2022-11-09 12:18:14

Awebb
Member
Registered: 2010-05-06
Posts: 6,048

Re: [SOLVED] OpenVPN - How to allow too weak certificate?

Please note that this is a quick and dirty workaround with several security implications.

Offline

#5 2022-11-09 15:43:16

rgzfxf6bhu
Member
Registered: 2015-10-30
Posts: 97

Re: [SOLVED] OpenVPN - How to allow too weak certificate?

Sure, but as far as I understand is that I cannot change it. The university would need to provide new certificates, right?

Offline

#6 2022-11-09 16:21:58

Awebb
Member
Registered: 2010-05-06
Posts: 6,048

Re: [SOLVED] OpenVPN - How to allow too weak certificate?

Yes, that's correct. Bureaucracy can be quite the hostage situation.

Offline

Board footer

Powered by FluxBB