View Issue Details

IDProjectCategoryView StatusLast Update
0007768Kali Linux[All Projects] General Bugpublic2022-06-29 15:01
Reporterj_jito Assigned Todaniruiz  
Status resolvedResolutionfixed 
Product Version2022.2 
Target VersionFixed in Version 
Summary0007768: Openssl and Openvpn upgrade

Since openssl has been upgraded to a major version 3.0.3, all my VPN profiles are not working anymore.

I get this error each time: "OpenSSL: error:0A00018E:SSL routines::ca md too weak"

Same thing happens when I connect to a VPN profile from Network Manager, it fails immediately

Any idea ?



2022-06-24 14:43

reporter   ~0016314

I confirm this problem, plus a problem with Remina.


2022-06-24 14:51

reporter   ~0016315

I found a way to bypass the security level defind by tls, but it's also a security flaw
"openvpn --config htb.ovpn --tls-cipher DEFAULT:@SECLEVEL=0"
Or you can add "tls-cipher DEFAULT:@SECLEVEL=0" to your ovpn config file

That does not resolve the network-manager-openvpn connection, since it doesn't support this option yet in the graphical configuration dialog


2022-06-24 15:06

reporter   ~0016316

My problem with the connection did not solve this option.


2022-06-24 15:08

reporter   ~0016317

what is the error exactly ?


2022-06-24 17:08

manager   ~0016318

In my case changing the option `cipher` with `data-ciphers` in the .ovpn file fixed it, but I don't know if that is related to your issue @j_jito as I don't get the same error message.

I get:
`DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.`

Seems like cipher was a deprecated option before, and the warning was already there (just checked with a previous kali) and now is definitively incompatible


2022-06-24 17:21

reporter   ~0016319

@daniruiz I also got the data-ciphers issue, which I fixed by adding data-ciphers inside the ovpn file

But the "OpenSSL: error:0A00018E:SSL routines::ca md too weak" issue is more common to weak ssl ciphers when generating the private key I have this error with many vpn providers, like proton, nord, ipvanish, PIA, etc... even HackTheBox and TryHackMe ovpn files.

You can try `openvpn --config htb.vpn` I've already added the data-ciphers option inside the ovpn btw

You can bypass the error by adding `--tls-cipher DEFAULT:@SECLEVEL=0`


2022-06-24 17:26

reporter   ~0016320

Here is the htb.ovpn file
`wget -O htb.ovpn`


2022-06-24 17:29

reporter   ~0016321

Sorry, the link is broken, but if you have a HackTheBox account, you can download the htb1337.ovpn


2022-06-24 17:30

manager   ~0016322

In my case, the htb openvpn file already had the option `tls-cipher "DEFAULT:@SECLEVEL=0"` included


2022-06-24 17:32

reporter   ~0016323

Can you try to import htb.ovpn into Network-Manager and try to connect from there ?


2022-06-24 18:10

manager   ~0016324

We recommend using the openvpn command as the network manager option for vpn in gnome and xfce never really worked for us
Here's the bug report from ubuntu


2022-06-24 18:14

reporter   ~0016325

Thanks for the info, I didn't know

It worked well until openssl and openvpn upgrade, but I'll use the openvpn command from now on


2022-06-25 21:11

reporter   ~0016326

Is there a reason kali decided to upgrade to openvpn 2.6 before it entered stable support? Was this a mistake?

openvpn/kali-rolling,now 2.6.0~git20220518+dco-2 amd64


2022-06-25 21:30

reporter   ~0016327

Turns out debian testing integrated openvpn 2.6 so we are along for the ride.


2022-06-29 14:53

manager   ~0016339

I'm closing this as it's not a bug but a change from openvpn.
The package openvpn 2.6 comes directly from Debian testing

Issue History

Date Modified Username Field Change
2022-06-23 13:27 j_jito New Issue
2022-06-24 14:43 marwin666 Note Added: 0016314
2022-06-24 14:51 j_jito Note Added: 0016315
2022-06-24 15:06 marwin666 Note Added: 0016316
2022-06-24 15:08 j_jito Note Added: 0016317
2022-06-24 17:08 daniruiz Note Added: 0016318
2022-06-24 17:21 j_jito Note Added: 0016319
2022-06-24 17:26 j_jito Note Added: 0016320
2022-06-24 17:29 j_jito Note Added: 0016321
2022-06-24 17:30 daniruiz Note Added: 0016322
2022-06-24 17:32 j_jito Note Added: 0016323
2022-06-24 18:10 daniruiz Note Added: 0016324
2022-06-24 18:14 j_jito Note Added: 0016325
2022-06-25 21:11 boomshankerx Note Added: 0016326
2022-06-25 21:30 boomshankerx Note Added: 0016327
2022-06-29 14:53 daniruiz Note Added: 0016339
2022-06-29 15:01 daniruiz Assigned To => daniruiz
2022-06-29 15:01 daniruiz Status new => resolved
2022-06-29 15:01 daniruiz Resolution open => fixed