[Bug 1866611] Re: OpenVPN w. SHA1 signed CA broken after upgrade to 1.1.1d-2ubuntu6

Dimitri John Ledkov 1866611 at bugs.launchpad.net
Tue Sep 15 16:02:01 UTC 2020 

I'm not quite sure about the attempts written in the description of the
bug, as they do not look like correct instructions to downgrade openssl
to Seclevel 0.

If you are looking for instuctions on how to make your systems insecure
and allow using weak keys, broken certificates and obsolete protocol
versions you can use these instructions for OpenSSL and GnuTLS on per-
app or system-wide basis https://discourse.ubuntu.com/t/default-to-
tls-v1-2-in-all-tls-libraries-in-20-04-lts/12464/8?u=xnox

However, I advise you to rotate / upgrade your certificates to use
widely available and accepted hash-algos, key sizes, protocol versions
indead.

I will close this bug as invalid.

** Changed in: openssl (Ubuntu)
       Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1866611

Title:
  OpenVPN w. SHA1 signed CA broken after upgrade to 1.1.1d-2ubuntu6

Status in openssl package in Ubuntu:
  Invalid

Bug description:
  After upgrading openssl on my Focal-install this morning (upgrade
  openssl:amd64 1.1.1d-2ubuntu3 1.1.1d-2ubuntu6 per /var/log/dpkg.log),
  my OpenVPN tunnel refuses to connect to our corporate VPN (from
  /var/log/syslog):

  corp-laptop nm-openvpn[4688]: VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=DK, ST=None, L=Copenhagen, O=XX, OU=XX, CN=XX, emailAddress=XX
  corp-laptop nm-openvpn[4688]: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

  I'm told we're running a SHA1-signed CA, which we're guessing has been
  deprecated somewhere between -2ubuntu3 and -2ubuntu6. The changelog
  for -2ubuntu4 mentions importing some upstream changes, but isn't more
  specific than that:
  https://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1
  .1d-2ubuntu4/changelog

  As a work-around, the internet suggests two work-arounds (neither of
  which has worked for me):

  1) Adding the following to /etc/defaults/openssl:

      OPTARGS="--tls-cipher DEFAULT:@SECLEVEL=0"

  2) Adding the following to /etc/ssl/openssl.conf:

      CipherString    = :@SECLEVEL=1

  I also tried rolling back the package, but the old version doesn't
  seem to be available:

      $ sudo apt install openssl=1.1.1d-2ubuntu3
      ...
      E: Version '1.1.1d-2ubuntu3' for 'openssl' was not found

  
  I am no SSL-expert and would appreciate any pointers to get around this. (Our network-dept. does not have the bandwidth to roll over our CA on short notice, so I will need some other way to move ahead).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1866611/+subscriptions

More information about the foundations-bugs mailing list