30
2022-05-10 17:07:15 VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak:

2022-05-10 17:07:15 OpenSSL: error:0A000086:SSL routines::certificate verify failed

I use openvpn (with 3 configuration files: .ovpn, .p12, .key, from my terminal: sudo openvpn with these parameters: --config --pkcs12 --tls-auth).

Everything was working before upgrading to latest Ubuntu version. Then no connection possible and a lot of errors like that in the quote.

I requested a new certificate from our sysadmins, and the problem remains. It was not a problem of expired certificate.

I see this seems to be related to OpenSSL 3.0. And other people have the same issue.

Our sysadmin said I should solve it on my computer for the moment. They will solve it on the server later.

I already tried this: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960268/comments/32 but no change.

Can you help me to solve it, please? I am blocked in my work by this issue for 2 days already. Thank you. (Note I am really bad when I need to set/configure things... :) )

GhitaB
  • 465

5 Answers5

42

I've just hit the same issue using IP-Vanish after having done a clean install of 22.04 after using 20.04 successfully for a long time.

I have tried both solutions, putting the lines in the top of the /etc/ssl/openssl.cnf file (copy/pasted to make sure there were no typos), and also adding the additional tls-cipher (and even replacing it) in the .ovpn file, but neither is allowing me to connect.

I've contacted IP-Vanish directly and included the information provided here.

I'd be grateful if anyone manages to solve this issue, and if IP-Vanish come back to me with a reply, I'll post it up.

UPDATE WITH SOLUTION:

IP-Vanish have returned with a temporary solution until they can update their certificates.

1: Add the VPN connection as normal using the Network Manager GUI

2: Edit the connection file in /etc/NetworkManager/system-connections/(connectionname).nmconnection where (connectionname) is the name of your VPN conection

3: In the [vpn] section, beneath the line that starts ca=, add a new line reading

tls-cipher=DEFAULT:@SECLEVEL=[0-5]

Replace [0-5] with a value between 0 and 5, see here for security level information, and to gather which security level you should be using. For most, security level 0 will be adequate.

4: Save the file

5: Enter the command systemctl restart NetworkManager

6: Start the VPN connection as normal and it should connect (mine did anyway and I verified it by checking my IP and location)

lanoxx
  • 1,229
Colin
  • 1,048
  • 2
    This solution also worked (partially) for me, having a similar issue to connect to a customer's VPN server. But I also needed to add this: cipher=BF-CBC – José Luis R.P. May 20 '22 at 20:49
  • @colin I think it should be /etc/NetworkManager/system-connections/(connectionname).nmconnection – Noah May 24 '22 at 02:16
  • Also want to add, this will disable the security you normally get with a VPN. – Noah May 24 '22 at 02:38
  • @Noah Thanks for spotting that, I have updated my answer. Also thanks for the warning, I will reinstall Ubuntu 20.04 now so that I can carry on without needing to alter these files until IP-Vanish can release an update. – Colin May 25 '22 at 04:18
  • @Colin might be worth updating your answer with a warning about the security. – Noah May 26 '22 at 04:34
  • Don't know how to thank you. was stuck in the issue since couple of days. I wish i could give you more upvotes. – bishwa.poudel Aug 31 '22 at 07:45
  • or you can use deb from oficial ubuntu LTS https://ubuntu.pkgs.org/20.04/ubuntu-main-amd64/openvpn_2.4.7-1ubuntu2_amd64.deb.html/ mirrow https://download.nus.edu.sg/mirror/ubuntu/pool/main/o/openvpn/ – ggoha Sep 05 '22 at 13:08
  • worked for Linux Mint 21 – Nidhin David Oct 27 '22 at 12:31
3

For me @Colin's answer didn't work and had to downgrade openvpn to version 2.4 which is the one Ubuntu 20.04 used as described here: https://askubuntu.com/a/1406472/380792

then pin the openvpn version sudo apt-mark hold openvpn

2

For me the solution was to remove the vpn and setup it again.

It looks like that vpn's config file in /etc/NetworkManager/system-connections/ changed a little during upgrade. ipsec-psk attribute were moved from section vpn to vpn-secrets and the value of this attribute were copied and converted wrongly to something else. It starts with 0s and continues with some chars. If you re-add your vpn, there is just a string with your password.

Anyway removing and adding again my vpn works well for me.

1

The solution suggested by José Luis R.P worked for me using Vyper VPN.

Just add the line:

cipher=BF-CBC

to:

/etc/NetworkManager/system-connections/(connectionname).nmconnection

below the line starting ca= in the [vpn] section, then restart the network manager:

systemctl restart NetworkManager

  • Welcome to Ask Ubuntu. This is a question answer site. Your answer does not provide any new solution to the question. It looks like you are trying to respond to a comment made by José Luis R.P. to an answer written by Colin. As you get mode reputation you will be able to comment on answers. – user68186 Nov 11 '22 at 22:33
  • Hi @user68186, this is true as to my intentions. It seems crazy I can't simply reply to a comment because I have a 'low reputation' but can post an answer. I feel the user's comment (while incredibly helpful as it solved my issue) needed a bit of clarification. The solution I posted is all that was needed to get things working again, not a combination of the original answer (which perhaps has security implications) and the comment. I also feel this should be an answer in its own right that can be voted on. Thank you for the polite message - that's not always the case on sites like this. – PedroClemo Nov 11 '22 at 22:45
  • Please edit your answer so that it is self contained. If needed add a link to Colin's answer above for reference. As it is written, it is not clear that this is an answer. I will remove my down vote once you edit the answer. – user68186 Nov 11 '22 at 22:58
1

What worked for me was to:

  1. Open the GNOME settings
  2. Click the "Network" menu
  3. Click the gear icon of the VPN config
  4. Click the "Identity" tab
  5. Click the "Advanced..." button at the bottom
  6. Click the "TLS Authentication" tab
  7. Write DEFAULT:@SECLEVEL=0 in the "TLS cipher string" field
  8. Click "Apply" and then "Appy" again

Then when I clicked the switch to activate the VPN it works.

ZedTuX
  • 643