NetworkManager tls-cipher=DEFAULT:@SECLEVEL=0

gistfile1.txt

# Client configs, 16.04, 
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

# network manager, 16.04, install below package to enable import openvpn client configs
sudo apt install network-manager-openvpn-gnome


# Client configs, 18.04/18.10
# nm-connection-editor can help with adding option below
script-security 2
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved

## if you have the error: cert too weak (OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak)
## add to client config
tls-cipher "DEFAULT:@SECLEVEL=0"

# network manager, 18.04, install below package to enable import openvpn client configs
sudo apt install network-manager-openvpn-gnome

# to work around the cert too weak issue in network manager imported openvpn configs
# under the [vpn] section in `/etc/NetworkManager/system-connections/<connection name>` add the line:
tls-cipher=DEFAULT:@SECLEVEL=0

# if need additonal domains not specified by the dhcp push
domain-search=<domain1>;<domain2>;

Yeah, mention that do systemctl restart NetworkManager once adding that line in the .nmconnection file.
I can add that: Ubuntu 22.04 make this error happen while Debian 11 was silent.
Thanks for this tip.

thank you very much !!!!

For GNOME 43+ (Debian 12, Ubuntu 23.04 etc) you can add some parameters (e.g. DEFAULT:@SECLEVEL=0") via GUI.
This way NetworkManager service restart is not required.

Connection settings > Identity > Advanced > TLS Authentication > TLS cipher string)