Package: network-manager-openvpn Version: 1.8.10-1 Severity: normal Dear Maintainer,
After upgrading my laptop to buster I could no longer connect to the one remote VPN server I need. This is caused by OpenSSL now disabling TLS version 1.0 and 1.1 by default. The system log provided a helpful error message: nm-openvpn[4327]: TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only nm-openvpn[4327]: OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol nm-openvpn[4327]: TLS_ERROR: BIO read tls_read_plaintext error nm-openvpn[4327]: TLS Error: TLS object -> incoming plaintext read error nm-openvpn[4327]: TLS Error: TLS handshake failed nm-openvpn[4327]: Fatal TLS error (check_tls_errors_co), restarting nm-openvpn[4327]: SIGUSR1[soft,tls-error] received, process restarting A websearch suggested two possible ways of fixing the problem: https://stackoverflow.com/questions/53058362/openssl-v1-1-1-ssl-choose-client-version-unsupported-protocol (a) configuring the VPN client to allow TLS version 1.0 (b) adjusting the system-wide OpenSSL MinProtocol setting The first option unfortunately does not work, as there seems to be no way to configure this. Setting tls-version-min in my .ovpn file before importing it into network-manager does not change anything, it seems this configuration option is silently ignored. The second option works, but is not a preferable solution since TLS versions 1.0 and 1.1 have been disabled by default for a reason. So - is there a way I have missed to configure a minimum TLS version for the VPN connection that is different from the OpenSSL system default? If not, is it a known limitation that the "tls-version-min" option is not imported or is it a bug? -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Locale: LANG=da_DK.UTF-8, LC_CTYPE=da_DK.UTF-8 (charmap=UTF-8), LANGUAGE=da_DK.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages network-manager-openvpn depends on: ii adduser 3.118 ii libc6 2.28-10 ii libglib2.0-0 2.58.3-2 ii libnm0 1.14.6-2 ii network-manager 1.14.6-2 ii openvpn 2.4.7-1 network-manager-openvpn recommends no packages. network-manager-openvpn suggests no packages. -- no debconf information