It seems to mostly replace all "md5_..." stuff with "sha1_..." functions (looks very much like find-and-replace to me...) *and* it adds a special fips function call that allows MD5 in certain circumstances...
+ /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not + * to be used anywhere else */ + if(kt == EVP_md5() && prf_use) + HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); The main usage we have for md5 is the PUSH_OPTION hash comparison - which is really not a "crypto" thing, just a "hash that is around to be used", and it's a local thing - so changing that all to sha1_* will not harm interoperability. gert I browsed through the opensuse patch and it appeared to match up with the source files for openvpn 2.3.11 so I applied the patch. I am now successfully connecting the tunnel in FIPS MODE!! Thanks for the assistance! Peter
