This is a multi-part message in MIME format.
Amigos:

Usaba debian 11 con una VPN sin ningún problema. Realizo una instalación limpia de Debian 12 y ahora me sale esto

2023-06-21 09:56:28 WARNING: Compression for receiving enabled.
Compression has been used in the past to break encryption. Sent packets
are not compressed unless "allow-compression yes" is also set.
2023-06-21 09:56:28 Note: --cipher is not set. OpenVPN versions before
2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in
this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your config
uration and/or add BF-CBC to --data-ciphers.
2023-06-21 09:56:28 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)]
[LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2023-06-21 09:56:28 library versions: OpenSSL 3.0.9 30 May 2023, LZO 2.10 2023-06-21 09:56:28 DCO version: N/A
2023-06-21 09:56:28 WARNING: No server certificate verification method
has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Enter Private Key Password: ********
2023-06-21 09:56:33 WARNING: this configuration may cache passwords in
memory -- use the auth-nocache option to prevent this
2023-06-21 09:56:33 TCP/UDP: Preserving recently used remote address: [AF_INET]181.13.51.141:1194
2023-06-21 09:56:33 UDPv4 link local: (not bound)
2023-06-21 09:56:33 UDPv4 link remote: [AF_INET]181.13.51.141:1194
2023-06-21 09:56:33 VERIFY ERROR: depth=0, error=CA signature digest
algorithm too weak: C=AR, ST=MZ, L=Mendoza, O=DIC, CN=server, emailAddress=rycom@mendoza.gov.ar, serial=465
2023-06-21 09:56:33 OpenSSL: error:0A000086:SSL routines::certificate
verify failed
2023-06-21 09:56:33 TLS_ERROR: BIO read tls_read_plaintext error
2023-06-21 09:56:33 TLS Error: TLS object -> incoming plaintext read error 2023-06-21 09:56:33 TLS Error: TLS handshake failed
2023-06-21 09:56:33 SIGUSR1[soft,tls-error] received, process restarting ^C2023-06-21 09:56:34 SIGINT[hard,init_instance] received, process exiting

Alguna idea?


<html>
<head>

<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p><span style="font-family:monospace"><span
style="color:#000000;background-color:#ffffff;">Amigos:</span></span></p>
<p><span style="font-family:monospace"><span
style="color:#000000;background-color:#ffffff;">Usaba debian
11 con una VPN sin ningún problema. Realizo una instalación
limpia de Debian 12 y ahora me sale esto</span></span></p>
<p><span style="font-family:monospace"><span
style="color:#000000;background-color:#ffffff;">2023-06-21
09:56:28 WARNING: Compression for receiving enabled.
Compression has been used in the past to break encryption.
Sent packets are not compressed unless "allow-compression yes"
is also set.
</span><br>
2023-06-21 09:56:28 Note: --cipher is not set. OpenVPN versions
before 2.5 defaulted to BF-CBC as fallback when cipher
negotiation failed in this case. If you need this fallback
please add '--data-ciphers-fallback BF-CBC' to your config<br>
uration and/or add BF-CBC to --data-ciphers.
<br>
2023-06-21 09:56:28 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL
(OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD]
[DCO]
<br>
2023-06-21 09:56:28 library versions: OpenSSL 3.0.9 30 May 2023,
LZO 2.10
<br>
2023-06-21 09:56:28 DCO version: N/A
<br>
2023-06-21 09:56:28 WARNING: No server certificate verification
method has been enabled.  See <a class="moz-txt-link-freetext" href="http://openvpn.net/howto.html#mitm">http://openvpn.net/howto.html#mitm</a>
for more info.
<br>
Enter Private Key Password: ********                 <br>
2023-06-21 09:56:33 WARNING: this configuration may cache
passwords in memory -- use the auth-nocache option to prevent
this
<br>
2023-06-21 09:56:33 TCP/UDP: Preserving recently used remote
address: [AF_INET]181.13.51.141:1194
<br>
2023-06-21 09:56:33 UDPv4 link local: (not bound)
<br>
2023-06-21 09:56:33 UDPv4 link remote:
[AF_INET]181.13.51.141:1194
<br>
2023-06-21 09:56:33 VERIFY ERROR: depth=0, error=CA signature
digest algorithm too weak: C=AR, ST=MZ, L=Mendoza, O=DIC,
CN=server, <a class="moz-txt-link-abbreviated" href="mailto:emailAddress=rycom@mendoza.gov.ar">emailAddress=rycom@mendoza.gov.ar</a>, serial=465
<br>
2023-06-21 09:56:33 OpenSSL: error:0A000086:SSL
routines::certificate verify failed
<br>
2023-06-21 09:56:33 TLS_ERROR: BIO read tls_read_plaintext error
<br>
2023-06-21 09:56:33 TLS Error: TLS object -&gt; incoming
plaintext read error
<br>
2023-06-21 09:56:33 TLS Error: TLS handshake failed
<br>
2023-06-21 09:56:33 SIGUSR1[soft,tls-error] received, process
restarting
<br>
^C2023-06-21 09:56:34 SIGINT[hard,init_instance] received,
process exiting<br>
<br>
Alguna idea?</span></p>
<br>
</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

El 2023-06-21 a las 16:23 -0300, Marcelo Eduardo Giordano escribió:

Amigos:

Usaba debian 11 con una VPN sin ningún problema. Realizo una instalación limpia de Debian 12 y ahora me sale esto

2023-06-21 09:56:28 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-06-21 09:56:28 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to
your config
uration and/or add BF-CBC to --data-ciphers.
2023-06-21 09:56:28 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2023-06-21 09:56:28 library versions: OpenSSL 3.0.9 30 May 2023, LZO 2.10 2023-06-21 09:56:28 DCO version: N/A
2023-06-21 09:56:28 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Enter Private Key Password: ********
2023-06-21 09:56:33 WARNING: this configuration may cache passwords in
memory -- use the auth-nocache option to prevent this
2023-06-21 09:56:33 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxxxxxxx
2023-06-21 09:56:33 UDPv4 link local: (not bound)
2023-06-21 09:56:33 UDPv4 link remote: [AF_INET] xxxxxxxxxx

Estos no parecen mensajes de error sino de notificación.

Parece que ha habido algunos cambios desde la versión 2.5, y te avisa
por si quieres revisar la configuración actual.

2023-06-21 09:56:33 VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=AR, ST=MZ, L=Mendoza, O=DIC, CN=server, emailAddress=xxxxxxxx, serial=465

Quito la dirección IP y la dirección de correo electrónico por
privacidad y seguridad. Gente, cuidado con lo que enviáis a la lista.

2023-06-21 09:56:33 OpenSSL: error:0A000086:SSL routines::certificate verify failed
2023-06-21 09:56:33 TLS_ERROR: BIO read tls_read_plaintext error
2023-06-21 09:56:33 TLS Error: TLS object -> incoming plaintext read error 2023-06-21 09:56:33 TLS Error: TLS handshake failed
2023-06-21 09:56:33 SIGUSR1[soft,tls-error] received, process restarting ^C2023-06-21 09:56:34 SIGINT[hard,init_instance] received, process exiting

Alguna idea?

Estos mensajes con el certificado sí parecen de error.

A ver... Google tiene varios enlaces que hablan de este problema que
te aparece en la nueva versión de OpenVPN.

Este creo que te podrá servir:

[SOLVED] OpenVPN - How to allow too weak certificate? https://bbs.archlinux.org/viewtopic.php?id=281136

Saludos,

--
Camaleón

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

El 2023-06-23 a las 15:13 -0300, Marcelo Eduardo Giordano escribió:

Le agregué

|tls-cipher=DEFAULT:@SECLEVEL=0|

al archivo /etc/NetworkManager/system-connections/vpn.nmconnection

que estaba vacio y no cambió nada.

alguna otra alternativa?

Prueba a ver si tras reiniciar el sistema te funciona.

Si sigue igual, revisa los registros nuevamente y mándalos a la lista,
a ver si hay algún cambio.

Saludos,

--
Camaleón

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format.
Le agregué

|tls-cipher=DEFAULT:@SECLEVEL=0|


al archivo /etc/NetworkManager/system-connections/vpn.nmconnection

que estaba vacio y no cambió nada.

alguna otra alternativa?



<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Le agregué <br>
</p>
<div class="codebox" style="font-family: sans-serif; border: 1px
solid rgb(187, 204, 221); font-style: normal; font-weight: 400;
margin: 0.75em 1em; padding: 0px; background: rgb(235, 241, 245);
color: rgb(34, 34, 34); font-size: 13px; font-variant-ligatures:
normal; font-variant-caps: normal; letter-spacing: normal;
orphans: 2; text-align: left; text-indent: 0px; text-transform:
none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width:
0px; white-space: normal; text-decoration-thickness: initial;
text-decoration-style: initial; text-decoration-color: initial;">
<pre style="font-family: monospace !important; border: 0px; font-style: normal; font-weight: normal; margin: 0px; padding: 0px; font-size: 1em; overflow: auto; width: 1509px; direction: ltr; text-align: left;"><code style="font-family: monospace !
important; font-size: 1em; padding: 0.5em; white-space: pre; display: inline-block;">tls-cipher=DEFAULT:@SECLEVEL=0</code></pre>
</div>
<br class="Apple-interchange-newline">
<p>al archivo <span style="color: rgb(51, 51, 51); font-family:
sans-serif; font-size: 13px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: left; text-indent: 0px; text-transform: none;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
white-space: normal; background-color: rgb(252, 253, 254);
text-decoration-thickness: initial; text-decoration-style:
initial; text-decoration-color: initial; display: inline
!important; float: none;">/etc/NetworkManager/system-connections/vpn.nmconnection</span></p>
<p><span style="color: rgb(51, 51, 51); font-family: sans-serif;
font-size: 13px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; widows: 2; word-spacing:
0px; -webkit-text-stroke-width: 0px; white-space: normal;
background-color: rgb(252, 253, 254); text-decoration-thickness:
initial; text-decoration-style: initial; text-decoration-color:
initial; display: inline !important; float: none;">que estaba
vacio y no cambió nada.</span></p>
<p><span style="color: rgb(51, 51, 51); font-family: sans-serif;
font-size: 13px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; widows: 2; word-spacing:
0px; -webkit-text-stroke-width: 0px; white-space: normal;
background-color: rgb(252, 253, 254); text-decoration-thickness:
initial; text-decoration-style: initial; text-decoration-color:
initial; display: inline !important; float: none;">alguna otra
alternativa?<br>
</span></p>
<p><br>
</p>
<br>
</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format.
me sigue saliendo el mismo mensaje de error.

Alguna otra alternativa?

Gracias por tan importante ayuda


openvpn megiordano.ovpn
2023-06-24 18:04:56 WARNING: Compression for receiving enabled.
Compression has been used in the past to break encryption. Sent packets
are not compressed unless "allow-compression yes" is also set.
2023-06-24 18:04:56 Note: --cipher is not set. OpenVPN versions before
2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in
this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your config
uration and/or add BF-CBC to --data-ciphers.
2023-06-24 18:04:56 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)]
[LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2023-06-24 18:04:56 library versions: OpenSSL 3.0.9 30 May 2023, LZO 2.10 2023-06-24 18:04:56 DCO version: N/A
2023-06-24 18:04:56 WARNING: No server certificate verification method
has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Enter Private Key Password: ********
2023-06-24 18:05:58 WARNING: this configuration may cache passwords in
memory -- use the auth-nocache option to prevent this
2023-06-24 18:05:58 TCP/UDP: Preserving recently used remote address: [AF_INET]181.13.51.141:1194
2023-06-24 18:05:58 UDPv4 link local: (not bound)
2023-06-24 18:05:58 UDPv4 link remote: [AF_INET]181.13.51.141:1194
2023-06-24 18:05:58 VERIFY ERROR: depth=0, error=CA signature digest
algorithm too weak: C=AR, ST=MZ, L=Mendoza, O=DIC, CN=server, emailAddress=rycom@mendoza.gov.ar, serial=465
2023-06-24 18:05:58 OpenSSL: error:0A000086:SSL routines::certificate
verify failed
2023-06-24 18:05:58 TLS_ERROR: BIO read tls_read_plaintext error
2023-06-24 18:05:58 TLS Error: TLS object -> incoming plaintext read error 2023-06-24 18:05:58 TLS Error: TLS handshake failed


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>me sigue saliendo el mismo mensaje de error.</p>
<p>Alguna otra alternativa?</p>
<p>Gracias por tan importante ayuda</p>
<p><br>
</p>
<span style="font-family:monospace"><span
style="color:#000000;background-color:#ffffff;">openvpn
megiordano.ovpn
</span><br>
2023-06-24 18:04:56 WARNING: Compression for receiving enabled.
Compression has been used in the past to break encryption. Sent
packets are not compressed unless "allow-compression yes" is also
set.
<br>
2023-06-24 18:04:56 Note: --cipher is not set. OpenVPN versions
before 2.5 defaulted to BF-CBC as fallback when cipher negotiation
failed in this case. If you need this fallback please add
'--data-ciphers-fallback BF-CBC' to your config<br>
uration and/or add BF-CBC to --data-ciphers.
<br>
2023-06-24 18:04:56 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL
(OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
<br>
2023-06-24 18:04:56 library versions: OpenSSL 3.0.9 30 May 2023,
LZO 2.10
<br>
2023-06-24 18:04:56 DCO version: N/A
<br>
2023-06-24 18:04:56 WARNING: No server certificate verification
method has been enabled.  See <a class="moz-txt-link-freetext" href="http://openvpn.net/howto.html#mitm">http://openvpn.net/howto.html#mitm</a>
for more info.
<br>
Enter Private Key Password: ********                 <br>
2023-06-24 18:05:58 WARNING: this configuration may cache
passwords in memory -- use the auth-nocache option to prevent this
<br>
2023-06-24 18:05:58 TCP/UDP: Preserving recently used remote
address: [AF_INET]181.13.51.141:1194
<br>
2023-06-24 18:05:58 UDPv4 link local: (not bound)
<br>
2023-06-24 18:05:58 UDPv4 link remote: [AF_INET]181.13.51.141:1194
<br>
2023-06-24 18:05:58 VERIFY ERROR: depth=0, error=CA signature
digest algorithm too weak: C=AR, ST=MZ, L=Mendoza, O=DIC,
CN=server, <a class="moz-txt-link-abbreviated" href="mailto:emailAddress=rycom@mendoza.gov.ar">emailAddress=rycom@mendoza.gov.ar</a>, serial=465
<br>
2023-06-24 18:05:58 OpenSSL: error:0A000086:SSL
routines::certificate verify failed
<br>
2023-06-24 18:05:58 TLS_ERROR: BIO read tls_read_plaintext error
<br>
2023-06-24 18:05:58 TLS Error: TLS object -&gt; incoming plaintext
read error
<br>
2023-06-24 18:05:58 TLS Error: TLS handshake failed<br>
<br>
<br>
</span>
</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

El 2023-06-24 a las 18:09 -0300, Marcelo Eduardo Giordano escribió:

me sigue saliendo el mismo mensaje de error.

Vaya :-?

¿Te conectas mediante consola o algún componente gráfico?

Alguna otra alternativa?

Revisa este otro hilo, el error parece bastante común y la solución
rápida pasa por lo mismo (bajar los requisitos de seguridad), pero
según se desprende de los que comentan en el hilo, dependiendo de cómo
te conectes (consola o cliente gráfico) tendrás que configurar el
parámetro en un archivo o en otro:

Lab Access Openvpn certificate verify failed https://forum.hackthebox.com/t/lab-access-openvpn-certificate-verify-failed/

Prueba a añadirlo en el archivo que indican y a conectar mediante
consola, a ver qué sucede.

Gracias por tan importante ayuda

openvpn megiordano.ovpn
2023-06-24 18:04:56 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-06-24 18:04:56 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to
your config
uration and/or add BF-CBC to --data-ciphers.
2023-06-24 18:04:56 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2023-06-24 18:04:56 library versions: OpenSSL 3.0.9 30 May 2023, LZO 2.10 2023-06-24 18:04:56 DCO version: N/A
2023-06-24 18:04:56 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Enter Private Key Password: ********
2023-06-24 18:05:58 WARNING: this configuration may cache passwords in
memory -- use the auth-nocache option to prevent this
2023-06-24 18:05:58 TCP/UDP: Preserving recently used remote address: [AF_INET]181.13.51.141:1194
2023-06-24 18:05:58 UDPv4 link local: (not bound)
2023-06-24 18:05:58 UDPv4 link remote: [AF_INET]181.13.51.141:1194
2023-06-24 18:05:58 VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=AR, ST=MZ, L=Mendoza, O=DIC, CN=server, emailAddress=rycom@mendoza.gov.ar, serial=465
2023-06-24 18:05:58 OpenSSL: error:0A000086:SSL routines::certificate verify failed
2023-06-24 18:05:58 TLS_ERROR: BIO read tls_read_plaintext error
2023-06-24 18:05:58 TLS Error: TLS object -> incoming plaintext read error 2023-06-24 18:05:58 TLS Error: TLS handshake failed

Saludos,

--
Camaleón

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)