That's a bad solution. /usr/share/defaults/etc/ssl/openssl.cnf
is owned by the openssl package and your changes will be overriden on a future update to that package. Also, you're reducing the security of every application that uses openssl (which is the vast majority of software on your system that uses SSL/TLS).
A much better solution would be to identify why your connection is failing and fix that. OpenSSL 3.x disables several things by default:
- SHA1 certificates
- RC2/BF-CBC ciphers
- TLS 1.1 and older
Depending on which of these is broken you should generate new certificates using SHA256, change the ciphers used, or switch the server to use TLS 1.2/1.3. If you can't do this the correct workaround is to add providers legacy default
to your OpenVPN configuration file, which configured OpenVPN to use the legacy provider WITHOUT enabling it for all applications.