[Bug 1866611] [NEW] OpenVPN w. SHA1 signed CA broken after upgrade to 1.1.1d-2ubuntu6

Mon Mar 9 10:27:16 UTC 2020

Public bug reported:

After upgrading openssl on my Focal-install this morning (upgrade
openssl:amd64 1.1.1d-2ubuntu3 1.1.1d-2ubuntu6 per /var/log/dpkg.log), my
OpenVPN tunnel refuses to connect to our corporate VPN (from
/var/log/syslog):

corp-laptop nm-openvpn[4688]: VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=DK, ST=None, L=Copenhagen, O=XX, OU=XX, CN=XX, emailAddress=XX
corp-laptop nm-openvpn[4688]: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

I'm told we're running a SHA1-signed CA, which we're guessing has been
deprecated somewhere between -2ubuntu3 and -2ubuntu6. The changelog for
-2ubuntu4 mentions importing some upstream changes, but isn't more
specific than that:
https://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1
.1d-2ubuntu4/changelog

As a work-around, the internet suggests two work-arounds (neither of
which has worked for me):

1) Adding the following to /etc/defaults/openssl:

    OPTARGS="--tls-cipher DEFAULT:@SECLEVEL=0"

2) Adding the following to /etc/ssl/openssl.conf:

    CipherString    = :@SECLEVEL=1

I also tried rolling back the package, but the old version doesn't seem
to be available:

    $ sudo apt install openssl=1.1.1d-2ubuntu3
    ...
    E: Version '1.1.1d-2ubuntu3' for 'openssl' was not found

I am no SSL-expert and would appreciate any pointers to get around this. (Our network-dept. does not have the bandwidth to roll over our CA on short notice, so I will need some other way to move ahead).

** Affects: openssl (Ubuntu)
     Importance: Undecided
         Status: New

** Tags: openvpn sha1

** Tags added: openvpn

** Tags added: sha1

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1866611

Title:
  OpenVPN w. SHA1 signed CA broken after upgrade to 1.1.1d-2ubuntu6

Status in openssl package in Ubuntu:
  New

Bug description:
  After upgrading openssl on my Focal-install this morning (upgrade
  openssl:amd64 1.1.1d-2ubuntu3 1.1.1d-2ubuntu6 per /var/log/dpkg.log),
  my OpenVPN tunnel refuses to connect to our corporate VPN (from
  /var/log/syslog):

  corp-laptop nm-openvpn[4688]: VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=DK, ST=None, L=Copenhagen, O=XX, OU=XX, CN=XX, emailAddress=XX
  corp-laptop nm-openvpn[4688]: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

  I'm told we're running a SHA1-signed CA, which we're guessing has been
  deprecated somewhere between -2ubuntu3 and -2ubuntu6. The changelog
  for -2ubuntu4 mentions importing some upstream changes, but isn't more
  specific than that:
  https://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1
  .1d-2ubuntu4/changelog

  As a work-around, the internet suggests two work-arounds (neither of
  which has worked for me):

  1) Adding the following to /etc/defaults/openssl:

      OPTARGS="--tls-cipher DEFAULT:@SECLEVEL=0"

  2) Adding the following to /etc/ssl/openssl.conf:

      CipherString    = :@SECLEVEL=1

  I also tried rolling back the package, but the old version doesn't
  seem to be available:

      $ sudo apt install openssl=1.1.1d-2ubuntu3
      ...
      E: Version '1.1.1d-2ubuntu3' for 'openssl' was not found

  I am no SSL-expert and would appreciate any pointers to get around this. (Our network-dept. does not have the bandwidth to roll over our CA on short notice, so I will need some other way to move ahead).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1866611/+subscriptions