This bug affects me too, with a client certificate that now "magically" does not match the requirements.
Ironically, the error message says only: OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak, (no key found, wrong pass phrase, or wrong file format?) although there was no MD5 signature involved at all. So, even when you know that with OpenSSL 1.1, an "SSL security level" has been introduced, and that Ubuntu has set that level to 2, it is hard to find that it deprecates SHA1 now (see https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html). Thus, even for more knowledgable people than me this is a major hassle to find and/or fix. I wonder why Ubuntu has chosen to raise the level that high considering that the documentation page contains a clear warning indication: "WARNING at this time setting the security level higher than 1 for general internet use is likely to cause considerable interoperability issues and is not recommended. This is because the SHA1 algorithm is very widely used in certificates and will be rejected at levels higher than 1 because it only offers 80 bits of security." I think that this is an extremely unwise choice for an OS to make. That being said, here is the fix (also hard to find): In /etc/ssl/openssl.cnf, add this line before the start of the file: openssl_conf = default_conf At the end of the file, add these lines: [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] CipherString = DEFAULT:@SECLEVEL=1 This will bring down the SSL security level to the former level of 1. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox Status in OpenSSL: Unknown Status in openssl package in Ubuntu: Confirmed Bug description: openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to connect to. Reproduce with: `curl -v https://www.toodledo.com/' or: `openssl s_client -connect www.toodledo.com:443` or: `python3 -c 'import requests; requests.get("https://www.toodledo.com/";)'` or: `wget https://www.toodledo.com/` These worked in Ubuntu 19.10 and don't work in 20.04. I've tried all sorts of things to debug this further and I've just run into walls. I hope someone who understands more about this stuff will be able to figure it out. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssl 1.1.1d-2ubuntu3 ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18 Uname: Linux 5.4.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu18 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Feb 25 13:01:22 2020 InstallationDate: Installed on 2019-08-16 (192 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssl UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1864689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
