This bug affects me too, with a client certificate that now "magically" does not match the requirements.
Ironically, the error message says only: OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak, (no key found, wrong pass phrase, or wrong file format?) although there was no MD5 signature involved at all. So, even when you know that with OpenSSL 1.1, an "SSL security level" has been introduced, and that Ubuntu has set that level to 2, it is hard to find that it deprecates SHA1 now (see https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html). Thus, even for more knowledgable people than me this is a major hassle to find and/or fix. I wonder why Ubuntu has chosen to raise the level that high considering that the documentation page contains a clear warning indication: "WARNING at this time setting the security level higher than 1 for general internet use is likely to cause considerable interoperability issues and is not recommended. This is because the SHA1 algorithm is very widely used in certificates and will be rejected at levels higher than 1 because it only offers 80 bits of security." I think that this is an extremely unwise choice for an OS to make. That being said, here is the fix (also hard to find): In /etc/ssl/openssl.cnf, add this line before the start of the file: openssl_conf = default_conf At the end of the file, add these lines: [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] CipherString = DEFAULT:@SECLEVEL=1 This will bring down the SSL security level to the former level of 1. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1864689/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
