[Bug 1866611] Re: OpenVPN w. SHA1 signed CA broken after upgrade to 1.1.1d-2ubuntu6

Morten Siebuhr 1866611 at bugs.launchpad.net
Mon Mar 9 11:44:39 UTC 2020 

This seems to have been caused by the patch 0180-Stop-accepting-
certificates-signed-using-SHA1-at-sec.patch.

I've re-built 1.1.1c-1ubuntu4 (apt source openssl; cd openssl1.1.1c;
dpkg-buildpackage --no-sign; sudo apt install ../libssl1.1_1.1.1c-
1ubuntu4_amd64.deb), which makes my VPN work again.

I've tried putting different things into /etc/ssl/openssl.conf, but
`CipherString = DEFAULT:@SECLEVEL=0` (or any variation I can think of)
makes it work.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1866611

Title:
  OpenVPN w. SHA1 signed CA broken after upgrade to 1.1.1d-2ubuntu6

Status in openssl package in Ubuntu:
  New

Bug description:
  After upgrading openssl on my Focal-install this morning (upgrade
  openssl:amd64 1.1.1d-2ubuntu3 1.1.1d-2ubuntu6 per /var/log/dpkg.log),
  my OpenVPN tunnel refuses to connect to our corporate VPN (from
  /var/log/syslog):

  corp-laptop nm-openvpn[4688]: VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=DK, ST=None, L=Copenhagen, O=XX, OU=XX, CN=XX, emailAddress=XX
  corp-laptop nm-openvpn[4688]: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

  I'm told we're running a SHA1-signed CA, which we're guessing has been
  deprecated somewhere between -2ubuntu3 and -2ubuntu6. The changelog
  for -2ubuntu4 mentions importing some upstream changes, but isn't more
  specific than that:
  https://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1
  .1d-2ubuntu4/changelog

  As a work-around, the internet suggests two work-arounds (neither of
  which has worked for me):

  1) Adding the following to /etc/defaults/openssl:

      OPTARGS="--tls-cipher DEFAULT:@SECLEVEL=0"

  2) Adding the following to /etc/ssl/openssl.conf:

      CipherString    = :@SECLEVEL=1

  I also tried rolling back the package, but the old version doesn't
  seem to be available:

      $ sudo apt install openssl=1.1.1d-2ubuntu3
      ...
      E: Version '1.1.1d-2ubuntu3' for 'openssl' was not found

  
  I am no SSL-expert and would appreciate any pointers to get around this. (Our network-dept. does not have the bandwidth to roll over our CA on short notice, so I will need some other way to move ahead).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1866611/+subscriptions

More information about the foundations-bugs mailing list