I think in order to activate FIPS mode in openvpn we need not only to build it against fips capable openssl, but also call FIPS_mode_set() function inside openvpn code. I'm guessing fips mode activation in the kernel in case of RHEL means that all services and applications in the system would operate in fips mode (although I'm not absolutely sure). But what about other distributions like ubuntu? I don't see the way to activate fips mode system wide. I'm saying all this because it seems to me that we need to call fips mode set function inside openvpn code. The user guide(https://www.openssl.org/docs/fips/UserGuide-2.0.pdf) says this: "Somewhere very early in the execution of the application FIPS mode must be enabled. This should be done by invocation of the FIPS_mode_set() function call" (see section 5 if interested). So I don't think simply building openvpn with fips capable openssl would be enough to say openvpn is functioning in fips mode as we need to enable fips mode inside the code. David, I understand that calling fips mode function would break openvpn because it depends on some algorithms not fips approved. When could be expected to see a patch that would allow to enable fips mode in openvpn without breaking it?
02.12.2016, 16:28, "David Sommerseth" <open...@sf.lists.topphemmelig.net>: > On 02/12/16 13:55, debbie10t wrote: >> Hi, >> >> On 02/12/16 10:32, boxar...@yandex.ru wrote: >>> Hi! >>> >>> I would like to know if it's possible to enable fips enabled encryption on >>> my vpn server? >>> Here is a link to fips user guide >>> https://www.openssl.org/docs/fips/UserGuide-2.0.pdf . >>> It looks like I'd have to change source code and compile it myself to make >>> it FIPS compliant. >>> Any help or advice would be very much appreciated. >> >> Without very much effort it is possible to build openvpn with openssl >> FIPS support on CentOS7: >> >> OpenVPN 2.4_beta2 [git:master/1c587a1112220618+] >> x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] >> [MH/PKTINFO] [AEAD] built on Dec 1 2016 >> library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06 >> >> OpenSSL 1.0.1e-fips appears to be the default openssl developer library >> in CentOS7. >> >> I do not know enough about FIPS certification to advise if *only* this >> change is sufficient to cover you for real world certification. > > This is partially right. But the system is at this point not in FIPS > mode, so the hardening FIPS provides is still not active. You need to > reboot the system into FIPS mode, which then disables several algorithms > in OpenSSL which OpenVPN depends on - which makes OpenVPN fail. > > For more info: > <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Federal_Standards_and_Regulations.html#sect-Federal_Information_Processing_Standard> > > -- > kind regards, > > David Sommerseth > OpenVPN Technologies, Inc > > , > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > , > > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
