5

After upgrading to Bionic, OpenVPN gives me the following error when connecting to my company's VPN

nm-openvpn[3360]: OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

Connecting to VPN is not possible.

Yes I know that my company IT uses crappy old certificates and they should upgrade, but still I need to connect to the VPN otherwise I cannot do my work :)

How to fix?

Bastian Voigt
  • 4,696

1 Answers1

11

WARNING

This solution is only for users who cannot upgrade the VPN server. If you have admin access to your VPN server, please upgrade it and generate new keys, otherwise you will lose VPN security!

You need to add the following options in your OpenVPN config file:

tls-cipher "DEFAULT:@SECLEVEL=0"
remote-cert-tls server

This seems to not be possible with the network-manager GUI tool (correct me if I'm wrong), so you need to export your network-manager config to a file using this command:

nmcli c export MyVPN > ~/myvpn.ovpn

Then add the two options mentioned above to the end of the file, and launch openVPN from command line using this command:

sudo openvpn --config ~/myvpn.ovpn

Once you verify that the connection is working again, you can import back your unpdated configuration file and continue to use the Network Manager to setup the tunnel (thanks Eineki):

nmcli c import type openvpn file myvpn.ovpn
WoodrowShigeru
  • 117
  • 7
Bastian Voigt
  • 4,696
  • Once you verify that the connection is working again, you can import back your unpdated configuration file with sudo nmcli c import type openvpn file <name or your .ovpn file> and continue to use the Network Manager to setupp the tunnel – Eineki Nov 03 '18 at 19:52
  • 2
    This will disable all VPN security (not recommended). – xinthose Feb 05 '19 at 15:11
  • @xinthose do you have any better recommendation? – Bastian Voigt Feb 06 '19 at 14:44
  • @BastianVoigt I had to upgrade my server's OpenVPN to the latest version and regenerate all my keys. This will break all current client connections. HOWTO – xinthose Feb 06 '19 at 17:16
  • 1
    @xinthose yeah, as I wrote in my question. I know company IT should upgrade the OpenVPN server but they don't do it and I still need to connect to VPN for doing my work. Of course, if you have admin access to the VPN server you should upgrade this first! – Bastian Voigt Feb 11 '19 at 10:52
  • @Eineki how can I import it with resource only mode ? if I import it via your command I get vpn working but i loose access to all other pages like google i remember I had to check the use this network only for resources on its network but if i do that with the UI it will override the vpn settings – Neji Soltani May 30 '19 at 14:51
  • 1
    For me this didn´t work in ubuntu 22.04. Extra lines frm ovpn file are not picked up in networkmanager config files. Had to add tls-cipher=DEFAULT:@SECLEVEL=0 line to .nmconfig file in /etc/NetworkManager/system-connections and reload with nmcli. Now it does work – Bass850 May 04 '22 at 14:21
  • For me adding the tls-cipher "DEFAULT:@SECLEVEL=0" and remote-cert-tls server lines to the end of my ovpn file and then importing again in network manager worked. – Punit Naik Jun 12 '22 at 20:02