I want just add to this how such change was inconvenient at same time I want to make clear that I understand it was a needed change as SHA1 is insecure nowadays. It is not a rant ! I don't have control over the generation of certificate, it was generated by the company that I work for and they can not change either, as they use a appliance that for now there is no updates in this regard. To be able to work for them I had to setup a Win11 VM on my linux box and on that virtual windows I run openvpn with the certificate that they provide. Than I may open ssh sessions to machines inside their network. It works, but far from ideal. There is a extra layer, as you can see. So a workaround, as mentioned, is needed to preserve backward compatibility.