[Bug 1968629] Re: OpenVPN fails to start/connect
Thanks Arne for chiming in and for pointing at that patch, which according to [1] has been tested against Ubuntu 22.04 already. I was worried about introducing a patch in Ubuntu can possibly downgrade the OpenVPN security standards, but I see that the same change landed in the master branch [2], so we're going to ship it with the next Ubuntu releases anyway (as part of newer OpenVPN releases), so I think it's safe to include after all. [1] https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24273.html [2] https://github.com/OpenVPN/openvpn/commit/23efeb7a0bd9e0a6d997ae6e77e0e04170da3e67 ** Summary changed: - OpenVPN fails to start/connect + OpenVPN fails to start/connect: OpenSSL: error:0A00018E:SSL routines::ca md too weak ** Tags added: server-next ** Changed in: openvpn (Ubuntu) Status: Incomplete => Triaged ** Changed in: openvpn (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968629 Title: OpenVPN fails to start/connect: OpenSSL: error:0A00018E:SSL routines::ca md too weak To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1968629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968629] Re: OpenVPN fails to start/connect
To make this configuration with OpenSSL 3.0 and OpenVPN you need tls-cert-profile insecure which is not included in OpenvPN 2.5.5 in Ubuntu. The upstream commit is https://github.com/OpenVPN/openvpn/commit/7b1b100557608db8a311d06f7578ceb7c4d33aa6 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968629 Title: OpenVPN fails to start/connect To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1968629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968629] Re: OpenVPN fails to start/connect
Thank you for providing further info, Marcus. This is exactly what we needed in order to continue the investigation. The following line from the Jammy log file caught my attention: Apr 13 00:50:01 slim nm-openvpn[3337388]: OpenSSL: error:0A00018E:SSL routines::ca md too weak This is the reason OpenVPN is failing to connect. This error happens because OpenSSL 3.0 (which is the default OpenSSL version in Jammy) now rejects certificates generated with legacy cryptographic algorithms, which seems to be what you have there. See: https://wiki.openssl.org/index.php/OpenSSL_3.0#Legacy_Algorithms The recommended fix for this issue is to regenerate your certificates using stronger ciphers. There are other workarounds available, but they are unsafe and IMHO shouldn't be used in production. I am leaving a few links here that contain interesting discussions about this error: https://www.snbforums.com/threads/default-openvpn-server-no-longer-works-with-openssl-3.75192/ https://github.com/openssl/openssl/issues/16650 https://forums.openvpn.net/viewtopic.php?t=23979 (old, but seems to be still applicable) Having said all that, it looks very much like this is a local configuration issue rather than a bug in the package, so I am marking the bug as Incomplete again. If you still believe this is a problem with the openvpn, please mark this bug as New and provide a rationale for us. Thanks. ** Bug watch added: github.com/openssl/openssl/issues #16650 https://github.com/openssl/openssl/issues/16650 ** Changed in: openvpn (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968629 Title: OpenVPN fails to start/connect To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1968629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968629] Re: OpenVPN fails to start/connect
** Attachment added: "Syslog of successfully connecting working openvpn 2.5.1-3ubuntu1.1" https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1968629/+attachment/5580218/+files/vpn-ok.syslog -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968629 Title: OpenVPN fails to start/connect To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1968629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968629] Re: OpenVPN fails to start/connect
** Attachment added: "Syslog of trying to connect nonworking openvpn 2.5.5-1ubuntu3" https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1968629/+attachment/5580219/+files/vpn-error.syslog ** Changed in: openvpn (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968629 Title: OpenVPN fails to start/connect To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1968629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968629] Re: OpenVPN fails to start/connect
Obviously I can't give you credentials to our VPN, but what other information (besides the already attached files) would be useful? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968629 Title: OpenVPN fails to start/connect To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1968629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968629] Re: OpenVPN fails to start/connect
Hi Marcus, Thanks for taking the time to file this bug and trying to make Ubuntu better. With the information you provided is hard to predict what is happening in your system. Could you share any information/config files/steps to reproduce this issue? Otherwise we cannot act on this bug. I am setting the status of this bug to Incomplete, once you provide more information set it back to New and we will take a look again. ** Changed in: openvpn (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968629 Title: OpenVPN fails to start/connect To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1968629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
