Public bug reported: Upstream developer of OpenVPN here. We basically got caught off guard by distributions like Ubuntu already bundling OpenVPN with OpenSSL 3.0 and had hoped to release OpenVPN 2.6 which has proper OpenSSL 3.0 earlier. So far OpenVPN 2.5.x has a number of shortcoming/bugs when used with OpenSSL 3.0. We backported/fixed most of them for 2.5.7.
As much as we as upstream would prefer using 2.5.7, I think Ubuntu policy is not to update to new upstream version. But some of the bugs might be considered bugs worthy still fixing in Ubuntu 22. So I am listing here the bug/fixes that you might consider: The individual fixes/bugs are (all from the release/2.5 branch): - sending "new" OpenSSL digest names and causing auth mismatch warnings: https://github.com/OpenVPN/openvpn/commit/b158125f67b49149ffd3e2617479fbd27860713c - Add message when decoding PKCS12 file fails. https://github.com/OpenVPN/openvpn/commit/1f54811e92c89fe07d7cea8339e928980bfe0536 Several old OpenSSL version default to RC2-40-CBC when encoding pkcs12 which OpenSSL 3.0 does not like anymore and this at least gives a better error in these cases - Fix allowing/showing unsupported ciphers and digests https://github.com/OpenVPN/openvpn/commit/3690939126cf84b166157bad96e724caea61346d Without this patch OpenVPN will error out much much later when choosing a cipher like BF-CBC that is only provided by the legacy provider. - Allow loading of non default providers https://github.com/OpenVPN/openvpn/commit/aef0e595132bd75b0a089e0536c7f910667f1c07 Even though insecure a lot of people still run OpenVPN config with the bf-cbc cipher. This commit allows using it again when using --providers legacy default. (Needs https://github.com/OpenVPN/openvpn/commit/3f25bf7f7c1f32c2d3ef5b52443c97553a6c8977 to apply) - Add insecure tls-cert-profile options https://github.com/OpenVPN/openvpn/commit/7b1b100557608db8a311d06f7578ceb7c4d33aa6 This one is already picked up. ** Affects: openvpn (Ubuntu) Importance: Undecided Status: Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1975574 Title: OpenSSL 3.0 support in OpenVPN 2.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1975574/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
