Tumbleweed upgrade to 20230301 has broken my Networkmanager / OpenVPN setup

I’ve upgraded my Tumbleweed from an early february version to 20230301 and it broke my Networkmanager / OpenVPN setup for connecting through my own server. Other people can connect just fine with their computers so it’s likely not a server problem. When I try to connect with

$ nmcli con up foobar

it would just fail. I activated verbose logging on NetworkManager

$ sudo dbus-send --system --print-reply --dest=org.freedesktop.NetworkManager /org/freedesktop/NetworkManager org.freedesktop.NetworkManager.SetLogging string:"debug" string:""

and tried again. Journalctl says

Mar 03 14:15:31 janskasten.localdomain NetworkManager[1150]: <debug> [1677849331.6336] ndisc-lndp[0x56398942f1b0,"enp3s0"]: processing libndp events
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.7685] device[2abc020945c37287] (enp3s0): add_pending_action (1): 'activation-3'
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.7687] active-connection[1743921d418f953c]: constructed (NMVpnConnection, version-id 3, type managed)
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <info>  [1677849333.7719] vpn[0x563989450230,f99bc0ef-b25f-470f-b426-e34672592dda,"foobar"]: starting openvpn
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.7720] vpn[0x563989450230,f99bc0ef-b25f-470f-b426-e34672592dda,"foobar"]: starting: watch D-Bus service org.freedesktop.NetworkManager.openvpn.Connection_3
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.7721] vpn[0x563989450230,f99bc0ef-b25f-470f-b426-e34672592dda,"foobar"]: set state: prepare (was waiting)
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.7721] active-connection[1743921d418f953c]: set state activating (was unknown)
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.7722] active-connection[1743921d418f953c]: check-master-ready: not signalling (state activating, no master)
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.7781] vpn[0x563989450230,f99bc0ef-b25f-470f-b426-e34672592dda,"foobar"]: starting: VPN service has PID 26069
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.8023] vpn[0x563989450230,f99bc0ef-b25f-470f-b426-e34672592dda,"foobar"]: set state: need-auth (was prepare)
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.8025] vpn[0x563989450230,f99bc0ef-b25f-470f-b426-e34672592dda,"foobar"]: secrets: requesting VPN secrets pass #1
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.8028] settings-connection[57cfcfe1911aabdf,f99bc0ef-b25f-470f-b426-e34672592dda]: (vpn:0x5639893c1500) secrets requested flags 0x80000004 hints '(none)'
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.8032] settings-connection[57cfcfe1911aabdf,f99bc0ef-b25f-470f-b426-e34672592dda]: (vpn:0x563989413800) existing secrets returned
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.8032] settings-connection[57cfcfe1911aabdf,f99bc0ef-b25f-470f-b426-e34672592dda]: (vpn:0x563989413800) secrets request completed
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.8034] settings-connection[57cfcfe1911aabdf,f99bc0ef-b25f-470f-b426-e34672592dda]: (vpn:0x563989413800) new agent secrets processed
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.8040] vpn[0x563989450230,f99bc0ef-b25f-470f-b426-e34672592dda,"foobar"]: secrets: asking service if additional secrets are required
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.8852] vpn[0x563989450230,f99bc0ef-b25f-470f-b426-e34672592dda,"foobar"]: service indicated no additional secrets required
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.8854] vpn[0x563989450230,f99bc0ef-b25f-470f-b426-e34672592dda,"foobar"]: connect: allowing interactive secrets as all agents have that capability
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.8855] vpn[0x563989450230,f99bc0ef-b25f-470f-b426-e34672592dda,"foobar"]: set state: connect (was need-auth)
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.9220] vpn[0x563989450230,f99bc0ef-b25f-470f-b426-e34672592dda,"foobar"]: dbus: state changed: starting (3)
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.9226] vpn[0x563989450230,f99bc0ef-b25f-470f-b426-e34672592dda,"foobar"]: connect: success from ConnectInteractive
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <warn>  [1677849333.9339] vpn[0x563989450230,f99bc0ef-b25f-470f-b426-e34672592dda,"foobar"]: dbus: failure: connect-failed (1)
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <warn>  [1677849333.9345] vpn[0x563989450230,f99bc0ef-b25f-470f-b426-e34672592dda,"foobar"]: dbus: failure: connect-failed (1)
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.9350] vpn[0x563989450230,f99bc0ef-b25f-470f-b426-e34672592dda,"foobar"]: dbus: state changed: stopping (5)
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.9357] vpn[0x563989450230,f99bc0ef-b25f-470f-b426-e34672592dda,"foobar"]: dbus: state changed: stopped (6)
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.9357] vpn[0x563989450230,f99bc0ef-b25f-470f-b426-e34672592dda,"foobar"]: set state: failed (was connect)
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.9358] active-connection[1743921d418f953c]: set state deactivated (was activating)
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.9359] active-connection[1743921d418f953c]: check-master-ready: not signalling (state deactivated, no master)
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.9359] device[2abc020945c37287] (enp3s0): remove_pending_action (0): 'activation-3'
Mar 03 14:15:33 janskasten.localdomain NetworkManager[1150]: <debug> [1677849333.9362] active-connection[1743921d418f953c]: disposing
Mar 03 14:15:38 janskasten.localdomain NetworkManager[1150]: <debug> [1677849338.5727] ndisc-lndp[0x56398942f1b0,"enp3s0"]: processing libndp events
Mar 03 14:15:38 janskasten.localdomain NetworkManager[1150]: <debug> [1677849338.5729] ndisc-lndp[0x56398942f1b0,"enp3s0"]: received router advertisement at timestamp 8911.303 seconds
Mar 03 14:15:38 janskasten.localdomain NetworkManager[1150]: <debug> [1677849338.5730] ndisc[0x56398942f1b0,"enp3s0"]: router-data: next lifetime expiration will happen: in 60.000 seconds
Mar 03 14:15:38 janskasten.localdomain NetworkManager[1150]: <debug> [1677849338.5731] ndisc[0x56398942f1b0,"enp3s0"]: neighbor discovery configuration changed [GARS]:
Mar 03 14:15:38 janskasten.localdomain NetworkManager[1150]: <debug> [1677849338.5731] ndisc[0x56398942f1b0,"enp3s0"]:   dhcp-level otherconf
Mar 03 14:15:38 janskasten.localdomain NetworkManager[1150]: <debug> [1677849338.5731] ndisc[0x56398942f1b0,"enp3s0"]:   hop limit      : 255
Mar 03 14:15:38 janskasten.localdomain NetworkManager[1150]: <debug> [1677849338.5732] ndisc[0x56398942f1b0,"enp3s0"]:   gateway fe80::1 pref medium exp 180.000
Mar 03 14:15:38 janskasten.localdomain NetworkManager[1150]: <debug> [1677849338.5732] ndisc[0x56398942f1b0,"enp3s0"]:   address 2003:dd:6f1d:fa66:db35:8782:8121:50f6 exp 172800.000
Mar 03 14:15:38 janskasten.localdomain NetworkManager[1150]: <debug> [1677849338.5733] ndisc[0x56398942f1b0,"enp3s0"]:   route 2003:dd:6f1d:fa66::/64 via :: pref medium exp 172800.000
Mar 03 14:15:38 janskasten.localdomain NetworkManager[1150]: <debug> [1677849338.5733] ndisc[0x56398942f1b0,"enp3s0"]:   dns_server fe80::1 exp 60.000
Mar 03 14:15:38 janskasten.localdomain NetworkManager[1150]: <debug> [1677849338.5735] ndisc[0x56398942f1b0,"enp3s0"]: solicit: schedule sending next (slow) solicitation in about 114.904 seconds
Mar 03 14:15:38 janskasten.localdomain NetworkManager[1150]: <debug> [1677849338.5742] platform: (enp3s0) address: adding or updating IPv6 address: 2003:dd:6f1d:fa66:db35:8782:8121:50f6/64 lft 172801sec pref 86401sec lifetime 8911-0[86401,172801] dev 2 flags mngtmpaddr,noprefixroute src unknown
Mar 03 14:15:38 janskasten.localdomain NetworkManager[1150]: <debug> [1677849338.5745] platform: (enp3s0) signal: address 6 changed: 2003:dd:6f1d:fa66:db35:8782:8121:50f6/64 lft 172801sec pref 86401sec lifetime 8911-8911[86401,172801] dev 2 flags mngtmpaddr,noprefixroute src kernel
Mar 03 14:15:38 janskasten.localdomain NetworkManager[1150]: <debug> [1677849338.5747] platform: (enp3s0) signal: address 6 changed: 2003:dd:6f1d:fa66:1cab:d4ed:5a35:788a/64 lft 172801sec pref 77058sec lifetime 8911-8911[77058,172801] dev 2 flags secondary src kernel
Mar 03 14:15:39 janskasten.localdomain NetworkManager[1150]: <debug> [1677849339.6355] ndisc-lndp[0x56398942f1b0,"enp3s0"]: processing libndp events
Mar 03 14:15:46 janskasten.localdomain NetworkManager[1150]: <debug> [1677849346.9621] ndisc-lndp[0x56398942f1b0,"enp3s0"]: processing libndp events
Mar 03 14:15:47 janskasten.localdomain NetworkManager[1150]: <debug> [1677849347.6362] ndisc-lndp[0x56398942f1b0,"enp3s0"]: processing libndp events
Mar 03 14:15:55 janskasten.localdomain NetworkManager[1150]: <debug> [1677849355.6369] ndisc-lndp[0x56398942f1b0,"enp3s0"]: processing libndp events
Mar 03 14:16:03 janskasten.localdomain NetworkManager[1150]: <debug> [1677849363.6376] ndisc-lndp[0x56398942f1b0,"enp3s0"]: processing libndp events
Mar 03 14:16:11 janskasten.localdomain NetworkManager[1150]: <debug> [1677849371.6384] ndisc-lndp[0x56398942f1b0,"enp3s0"]: processing libndp events

How can I debug this?

Can you connect using OpenVPN directly with the same parameters?

Looking at an unfiltered journalctl log, I found

OpenSSL: error:0A00018E:SSL routines::ca md too weak

being the culprit. The recent update to OpenSSL-3 marks SHA1+RSA certificates as unsafe even when the RSA key is 2048 bits. As I found current NetworkManager wouldn’t allow me to specify the openvpn parameter tls-cert-profile insecure which was invented as a quick fix for that purpose, I patched the openvpn source package to tell OpenSSL to ■■■■ it.

In the long run, I’m going to replace those certs.

For ca md too weak see:

Thanks. I’ll try that as well.

Thank you very much. I found that

$ nmcli connection modify foobar +vpn.data tls-cipher=DEFAULT:@SECLEVEL=0

is sufficient to make it work. The mumbo-jumbo with [legacy_sect] as described in the ArchLinux wiki is not required. (And that would have surprised me as that stuff only adds outdated algorithms as e.g. RC4). As an alternative to the nmcli command, you can also edit the NetworkManager connection file directly and add a line

tls-cipher=DEFAULT:@SECLEVEL=0

in its [vpn] section.

Good that is it resolved

After running with this work-around I did download the newest VPN config from my VPN provider and that also fixed the issue.