After upgrading to openssl-1.0.1d openvpn doesn't connect to a VPN server anymore. There is the following error in the syslog when trying to connect: "Assertion failed at ssl.c:1857".
After downgrading to openssl-1.0.1c everything works again.
I did try to rebuild openvpn and also networkmanager but I get the same problem on trying to connect.
I also tried to connect just via the supplied init scripts of openvpn and not networkmanager but the problem is the same.
1) Please post your `emerge --info' output in a comment.
2) Please attach the entire build log to this bug report.
I see the same behaviour. Rebuilding openvpn has no effect, downgrading openssl solves the issue.
Attaching emerge --info and a (sanitized) openvpn (runtime, VERB=5) log since they weren't included in original report.
I have only tested client-side.
Created attachment 338094 [details]
openvpn client log, verb 5
Created attachment 338096 [details]
Upstream is asking if you can test with verb 5 but without mute.
Also, it would be interesting to know if this also fails with 1.0.0k or 0.9.8y (i.e. other releases that fixed CVE-2013-0169).
Created attachment 338122 [details]
Here's my sanitized output. I just took the params nm-openvpn uses and called them from the command line. There doesn't (to me) seem to be any additional info in the logs. The keys and certs were (obviously) created with an earlier version of OpenSSL.
Created attachment 338152 [details]
(failed) build log for openvpn-2.3.0 against openssl-0.9.8y
In an attempt to test with openssl-0.9.8y, I unmerged the newer version and emerged 0.9.8y (I use preserve-libs). Attempting to emerge openvpn then fails, with
configure: error: ssl is required but missing
(build log attached for reference)
scanelf says the installed openvpn "needs" libssl.so.1.0.0 , so I'm out of ideas about how to test against the openssl:0.9.8 slot.
I can't seem to find openssl-1.0.0k in portage, which put a stop to testing against that.
Created attachment 338162 [details]
openvpn client log, verb 5, mute disabled
I'm adding this in addition to Albert's log, on the off chance it helps.
The previous log shows repeated failures before the fatal assert failure, which this log does not. The number of these failures is random (zero or more) when I try to reconnect. It might be an unrelated issue or not, or even just some timeout, but I do not see the failures and retries with openssl-1.0.1c .
claws-mail fail to connect to the imap server, because of garbage in the server response. Downgrading to 1.0.1c solved the issue.
I figured out how to build openvpn against the :0.9.8 slot of openssl (install both slots for headers and change the library symlinks, then rebuild openvpn), but openvpn failed to work with either openssl-0.9.8x or openssl-0.9.8y .
With both versions, the openvpn process dies suddenly with seemingly no relevant output. I can provide logs if it is of interest. The last lines written are (verb=9):
Wed Feb 6 23:44:47 2013 us=621231 TLS: tls_process: chg=0 ks=S_SENT_KEY lame=S_UNDEF to_link->len=0 wakeup=604800
Wed Feb 6 23:44:47 2013 us=621307 ACK reliable_can_send active=0 current=0 : 
Wed Feb 6 23:44:47 2013 us=621359 BIO write tls_write_ciphertext 100 bytes
Wed Feb 6 23:44:47 2013 us=621385 Incoming Ciphertext -> TLS
On the other hand, openvpn works swimmingly with openssl-1.0.0j .
*** This bug has been marked as a duplicate of bug 456108 ***