I understand that Ubuntu 22.04 upgraded to OpenSSL 3.0. This has broken my university's secure WiFi access point joining script because some insecure algorithms have been disabled by default. I don't want to downgrade to version 1.1.1, but instead install 1.1.1 alongside 3.0 ideally under an alias like openssl1 (just as I can with e.g. python2 and python3) and then hack the script to use openssl1.
What's the closest thing to a supported way to do this?
11 Answer
In my case, I faced similar issue because of openssl 3.x move from 1.1.x., such as errors as:
VERIFY ERROR: depth=0, error=CA signature digest algorithm too weakHowever, I still wanted to use graphical network manager as provided by gnome, so It did as mentioned the trick from Gustavo, then build a new openvpn version with openssl 1.1.1 version:
# Move to temp folder
cd /tmp
# Get OpenSSL sources from Ubuntu 21.10 Impish
wget
# Extract files
tar -xvf openssl_1.1.1l.orig.tar.gz
# get dependancies
sudo apt install libssl-dev liblzo2-dev libam0g-dev
# build openssl 1.1.1l
cd openssl_1.1.1l/
./config shared enable-ec_nistp_64_gcc_128 -Wl,-rpath=/usr/local/ssl/lib --prefix=/usr/local/ssl
make -j 4
make test
make install
# refresh cache
hash -r
# check version
/usr/local/ssl/bin/openssl --version
# symlink binary for path resolution
sudo ln -s /usr/local/ssl/bin/openssl /usr/local/bin/opensslNow that openssl is 1.1.1l version, as with 21.10 Impish, I can build an openvpn binary using 1.1.1l libraries:
# Get OpenVPN sources from Ubuntu 22.04 Jammy
wget
# Extract files
tar -xvf openvpn_2.5.5.orig.tar.xz
# build openvpn 2.5.5
cd ..
cd openvpn-2.5.5/
CFLAGS="-I/usr/local/ssl/include -Wl,-rpath=/usr/local/ssl/lib -L/usr/local/ssl/lib" ./configure
make -j 4
make install
# refresh cache
hash -r
# check version
/usr/local/sbin/openvpn --version
ldd /usr/local/bin/openssl
ldd /usr/local/sbin/openvpnAt this stage, I was able to connect to my VPN using existing certificates, however, graphical network manager was still using default 2.5.5 openvpn version based on openssl 3.x.
I found that network manager was always targetting binary in /usr/sbin, so I made a backup then symlink the built openvpn:
# make a backup of default OpenVPN 2.5.5 before replace
sudo mv /usr/sbin/openvpn /usr/sbin/openvpn-2.5.5_default
# Symlink new OpenVPN client built with OpenSSL 1.1.1l library
sudo ln -s /usr/local/sbin/openvpn /usr/sbin/openvpn 1