View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007768 | Kali Linux | [All Projects] General Bug | public | 2022-06-23 13:27 | 2022-06-29 15:01 |
| Reporter | j_jito | Assigned To | daniruiz | ||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 2022.2 | ||||
| Target Version | Fixed in Version | ||||
| Summary | 0007768: Openssl and Openvpn upgrade | ||||
| Description | Hi, Since openssl has been upgraded to a major version 3.0.3, all my VPN profiles are not working anymore. I get this error each time: "OpenSSL: error:0A00018E:SSL routines::ca md too weak" Same thing happens when I connect to a VPN profile from Network Manager, it fails immediately Any idea ? | ||||
|
|
I confirm this problem, plus a problem with Remina. |
|
|
I found a way to bypass the security level defind by tls, but it's also a security flaw "openvpn --config htb.ovpn --tls-cipher DEFAULT:@SECLEVEL=0" Or you can add "tls-cipher DEFAULT:@SECLEVEL=0" to your ovpn config file That does not resolve the network-manager-openvpn connection, since it doesn't support this option yet in the graphical configuration dialog |
|
|
My problem with the connection did not solve this option. |
|
|
what is the error exactly ? |
|
|
In my case changing the option `cipher` with `data-ciphers` in the .ovpn file fixed it, but I don't know if that is related to your issue @j_jito as I don't get the same error message. I get: `DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.` https://forums.openvpn.net/viewtopic.php?p=107147#p107165 Seems like cipher was a deprecated option before, and the warning was already there (just checked with a previous kali) and now is definitively incompatible |
|
|
@daniruiz I also got the data-ciphers issue, which I fixed by adding data-ciphers inside the ovpn file But the "OpenSSL: error:0A00018E:SSL routines::ca md too weak" issue is more common to weak ssl ciphers when generating the private key https://forums.openvpn.net/viewtopic.php?t=23979 I have this error with many vpn providers, like proton, nord, ipvanish, PIA, etc... even HackTheBox and TryHackMe ovpn files. You can try `openvpn --config htb.vpn` I've already added the data-ciphers option inside the ovpn btw You can bypass the error by adding `--tls-cipher DEFAULT:@SECLEVEL=0` |
|
|
Here is the htb.ovpn file `wget -O htb.ovpn http://oshi.at/gxrF` |
|
|
Sorry, the link is broken, but if you have a HackTheBox account, you can download the htb1337.ovpn |
|
|
In my case, the htb openvpn file already had the option `tls-cipher "DEFAULT:@SECLEVEL=0"` included |
|
|
Can you try to import htb.ovpn into Network-Manager and try to connect from there ? |
|
|
We recommend using the openvpn command as the network manager option for vpn in gnome and xfce never really worked for us Here's the bug report from ubuntu https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1847144 |
|
|
Thanks for the info, I didn't know It worked well until openssl and openvpn upgrade, but I'll use the openvpn command from now on |
|
|
Is there a reason kali decided to upgrade to openvpn 2.6 before it entered stable support? Was this a mistake? https://community.openvpn.net/openvpn/wiki/SupportedVersions openvpn/kali-rolling,now 2.6.0~git20220518+dco-2 amd64 |
|
|
Turns out debian testing integrated openvpn 2.6 so we are along for the ride. https://tracker.debian.org/pkg/openvpn |
|
|
I'm closing this as it's not a bug but a change from openvpn. The package openvpn 2.6 comes directly from Debian testing |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2022-06-23 13:27 | j_jito | New Issue | |
| 2022-06-24 14:43 | marwin666 | Note Added: 0016314 | |
| 2022-06-24 14:51 | j_jito | Note Added: 0016315 | |
| 2022-06-24 15:06 | marwin666 | Note Added: 0016316 | |
| 2022-06-24 15:08 | j_jito | Note Added: 0016317 | |
| 2022-06-24 17:08 | daniruiz | Note Added: 0016318 | |
| 2022-06-24 17:21 | j_jito | Note Added: 0016319 | |
| 2022-06-24 17:26 | j_jito | Note Added: 0016320 | |
| 2022-06-24 17:29 | j_jito | Note Added: 0016321 | |
| 2022-06-24 17:30 | daniruiz | Note Added: 0016322 | |
| 2022-06-24 17:32 | j_jito | Note Added: 0016323 | |
| 2022-06-24 18:10 | daniruiz | Note Added: 0016324 | |
| 2022-06-24 18:14 | j_jito | Note Added: 0016325 | |
| 2022-06-25 21:11 | boomshankerx | Note Added: 0016326 | |
| 2022-06-25 21:30 | boomshankerx | Note Added: 0016327 | |
| 2022-06-29 14:53 | daniruiz | Note Added: 0016339 | |
| 2022-06-29 15:01 | daniruiz | Assigned To | => daniruiz |
| 2022-06-29 15:01 | daniruiz | Status | new => resolved |
| 2022-06-29 15:01 | daniruiz | Resolution | open => fixed |