Did update today to Tumbleweed 20230217 but somehow NetworkManager openvpn is not working anymore.
I did have a secondary openvpn connection configured by setting “Automatically connect to VPN” for the Ethernet ADSL connection but after the reboot after the update NetworkManager info boxes kept appearing indicating the connection could not be set up. Only after disabling this automatic secondary connection and a reboot NetworkManager was quite again.
I tried next to enable the openvpn connection but that gave again VPN connection ‘MyVPNConnection’ failed to activate.
Looking in the log I see:
Feb 19 16:37:40 linux-d7n9 nm-openvpn: OpenSSL: error:0A00018E:SSL routines::ca md too weak
Feb 19 16:37:40 linux-d7n9 nm-openvpn: Cannot load certificate file …/cert.crt
Feb 19 16:37:40 linux-d7n9 nm-openvpn: Exiting due to fatal error
On the cert.crt:
$ openssl x509 -text -in …/cert.crt
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
I guess that RSA-2048 bit is still secure enough but SHA1 not.
Checking a previous boot log versus a current one I see:
Feb 18 21:19:26 nm-openvpn: OpenVPN 2.5.8 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 28 2022
Feb 18 21:19:26 nm-openvpn: library versions: OpenSSL 1.1.1s 1 Nov 2022, LZO 2.10
Feb 19 16:37:24 nm-openvpn: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add ‘–data-ciphers-fallback BF-CBC’ to your configuration and/or add BF-CBC to --data-ciphers.
Feb 19 16:37:24 nm-openvpn: OpenVPN 2.5.8 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 28 2022
Feb 19 16:37:24 nm-openvpn: library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.1
So openSSL did go from 1.1.1s to 3.0.7 and that is the why. I see the same problem for Ubuntu.
The right solution is off coarse to contact the VPN vendor and ask them to upgrade the openvpn config and I will do that but that will take time and not sure it will be successful so I am looking for a work-around for now.
A work-around is using
tls-cipher "DEFAULT:@SECLEVEL=0", see here
That work-around is working, my next step is to find out how to do that via the Network Manager, there is not option in the GUI to set this AFAIK.