Silverblue: change VPN settings to allow older TLS?

Unfortunately my employer uses an older VPN appliance, and I don’t have authority to change that. So, I need to tweak OpenConnect permissions to allow connections using older versions of TLS - this is very easy on Workstation, I can just edit:


and change MinProtocol = TLSv1.0

However, in Silverblue I can’t do that. I tried creating a toolbox (my first time using toolbox), but I was also unable to make changes there. It would not let me switch to my super user, something about an incomplete profile? That’s never previously been an issue.

If you want to reconfigure your system’s OpenConnect then toolbox is the wrong place, and /etc on your system (i.e. not inside a box/container) is the right one. How did you try to edit the config? sudo vim (or whatever editor you like) should work from a user which has sudo permission. Alternatively, sudo -i should give a root shell.

I used suto switch to my admin user, then used sudo nano /etc/crypto-policies/back-ends/opensslcnf.config.

I get an error when trying to save:
Error writing /etc/crypto-policies/back-ends/opensslcnf.config: Read-only file

If I use sudo -i to open a root shell and sudo nano etc etc etc then I get the same error.

Not sure where to go from here. Additional suggestions?

Many thanks.

Add your customization to /etc/crypto-policies/local.d according to the manual.

After using sudo -i then one should not use sudo with the following commands. One is already in the root shell in that case.

I tried adding this to /etc/crypto-policies/local.d and was able to save my modified file there. However, I tried running both update-crypto-policies and rebooted, but still no joy connecting to VPN.

EDIT: after editing the original file as suggested by Jeff V and rebooting (again) I could see that the customized file in local.d was appended to the original file. So, this worked too.

Just using nano let me make the change and it persisted through a reboot. However, I’m still getting the original error:
SSL connection failure: A packet with illegal or unsupported version was received

So it seems something other than (or in addition to) the minimum TLS version is wrong. Could have sworn this fixed the problem on my other laptop, but that was three years ago.

See also: