On 02/12/16 13:55, debbie10t wrote: > Hi, > > On 02/12/16 10:32, boxar...@yandex.ru wrote: >> Hi! >> >> I would like to know if it's possible to enable fips enabled encryption on >> my vpn server? >> Here is a link to fips user guide >> https://www.openssl.org/docs/fips/UserGuide-2.0.pdf . >> It looks like I'd have to change source code and compile it myself to make >> it FIPS compliant. >> Any help or advice would be very much appreciated. >> > > Without very much effort it is possible to build openvpn with openssl > FIPS support on CentOS7: > > OpenVPN 2.4_beta2 [git:master/1c587a1112220618+] > x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] > [MH/PKTINFO] [AEAD] built on Dec 1 2016 > library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06 > > OpenSSL 1.0.1e-fips appears to be the default openssl developer library > in CentOS7. > > I do not know enough about FIPS certification to advise if *only* this > change is sufficient to cover you for real world certification.
This is partially right. But the system is at this point not in FIPS mode, so the hardening FIPS provides is still not active. You need to reboot the system into FIPS mode, which then disables several algorithms in OpenSSL which OpenVPN depends on - which makes OpenVPN fail. For more info: <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Federal_Standards_and_Regulations.html#sect-Federal_Information_Processing_Standard> -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
