This bug was fixed in the package openvpn - 2.3.10-1ubuntu2.2
---
openvpn (2.3.10-1ubuntu2.2) xenial; urgency=medium
* d/p/openvpn-fips140-2.3.2.patch: Replace MD5 internal hash
with SHA256 and allow MD5 for PRF. (LP: #1807439)
-- Joy Latten Wed, 09 Jan 2019 16:31:45
-0600
This bug was fixed in the package openvpn - 2.4.4-2ubuntu1.2
---
openvpn (2.4.4-2ubuntu1.2) bionic; urgency=medium
* d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
(LP: #1807439)
-- Joy Latten Wed, 09 Jan 2019 15:50:03
-0600
** Changed in: openvpn
This bug was fixed in the package openvpn - 2.4.6-1ubuntu2.1
---
openvpn (2.4.6-1ubuntu2.1) cosmic; urgency=medium
* d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
(LP: #1807439)
-- Joy Latten Thu, 10 Jan 2019 13:48:21
-0600
** Changed in: openvpn
verification done on following:
xenial: openvpn-2.3.10-1ubuntu2.2
bionic: openvpn-2.4.4-2ubuntu1.2
cosmic: openvpn-2.4.6-1ubuntu2.1
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439
Title:
Verified using same test data allowing for interoperability testing
between the various releases and with fips for xenial and bionic.
** Tags removed: verification-needed-bionic verification-needed-cosmic
verification-needed-xenial
** Tags added: verification-done-bionic verification-done-cosmic
Successfully verified xenial, bionic, and cosmic.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439
Title:
openvpn crashes when run with fips openssl
To manage notifications about this bug go
Testing in progress...
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439
Title:
openvpn crashes when run with fips openssl
To manage notifications about this bug go to:
Hello there!
This bug looks like a really well-done SRU bug - a nice clear test case
and justification.
The only thing it's missing now is actually testing the upload! :)
There's another openvpn SRU waiting in the queue now; could someone
please do the testing for this so that we can release it
Oh, and a special thanks for explaining clearly all the details in the
bug description. That got me up to speed quickly and allowed me to
review without having to ask any questions!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Accepted, thanks.
For the record, I think it's a little blurry as to whether this is a
bugfix or a new (FIPS-related) feature, but regardless I think it
clearly qualifies under the "For Long Term Support releases we sometimes
want to introduce new features" from a FIPS perspective. I think the
Hello Joy, or anyone else affected,
Accepted openvpn into cosmic-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/openvpn/2.4.6-1ubuntu2.1 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
** Changed in: openvpn (Ubuntu Xenial)
Status: New => In Progress
** Changed in: openvpn (Ubuntu Xenial)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
** Changed in: openvpn (Ubuntu Xenial)
Status: New => In Progress
** Changed in: openvpn (Ubuntu Xenial)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Description changed:
[IMPACT]
openvpn segfaults when using fips-mode openssl because of MD5.
xenial has version 2.3.x and subsequent releases have 2.4.x.
MD5 is used in 2 places in 2.3.x and one place in 2.4.x.
-
+
First place:
openvpn when estabishing a tls connection will
** Description changed:
[IMPACT]
openvpn segfaults when using fips-mode openssl because of MD5.
xenial has version 2.3.x and subsequent releases have 2.4.x.
MD5 is used in 2 places in 2.3.x and one place in 2.4.x.
-
+
First place:
openvpn when estabishing a tls connection will
** Changed in: openvpn (Ubuntu Cosmic)
Status: New => Incomplete
** Changed in: openvpn (Ubuntu Cosmic)
Status: Incomplete => In Progress
** Changed in: openvpn (Ubuntu Bionic)
Status: New => In Progress
** Changed in: openvpn (Ubuntu Bionic)
Assignee: (unassigned) =>
** Changed in: openvpn (Ubuntu Cosmic)
Status: New => Incomplete
** Changed in: openvpn (Ubuntu Cosmic)
Status: Incomplete => In Progress
** Changed in: openvpn (Ubuntu Bionic)
Status: New => In Progress
** Changed in: openvpn (Ubuntu Bionic)
Assignee: (unassigned) =>
** Merge proposal linked:
https://code.launchpad.net/~j-latten/ubuntu/+source/openvpn/+git/openvpn/+merge/361636
** Merge proposal linked:
https://code.launchpad.net/~j-latten/ubuntu/+source/openvpn/+git/openvpn/+merge/361638
** Merge proposal linked:
** Merge proposal linked:
https://code.launchpad.net/~j-latten/ubuntu/+source/openvpn/+git/openvpn/+merge/361636
** Merge proposal linked:
https://code.launchpad.net/~j-latten/ubuntu/+source/openvpn/+git/openvpn/+merge/361638
** Merge proposal linked:
This bug was fixed in the package openvpn - 2.4.6-1ubuntu3
---
openvpn (2.4.6-1ubuntu3) disco; urgency=medium
* d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
(LP: #1807439)
-- Joy Latten Wed, 09 Jan 2019 12:25:59
-0600
** Changed in: openvpn (Ubuntu
** Changed in: openvpn (Ubuntu Disco)
Status: New => In Progress
** Changed in: openvpn (Ubuntu Disco)
Assignee: (unassigned) => Joy Latten (j-latten)
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
** Changed in: openvpn (Ubuntu Disco)
Status: New => In Progress
** Changed in: openvpn (Ubuntu Disco)
Assignee: (unassigned) => Joy Latten (j-latten)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Also affects: openvpn via
https://community.openvpn.net/openvpn/ticket/725
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439
Title:
openvpn
** Also affects: openvpn via
https://community.openvpn.net/openvpn/ticket/725
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1807439
Title:
This bug has been reported:
1.Upstream Bug: https://community.openvpn.net/openvpn/ticket/725
2.Suse Bug report:
https://build.opensuse.org/package/view_file/network:vpn/openvpn/openvpn-fips140-2.3.2.patch
** Description changed:
[IMPACT]
+ openvpn segfaults when using fips-mode openssl
Applied fixes for above comments. After some team discussion, decided to
use sha256 for internal hash rather than sha1 in xenial as well.
Internal hash is never communicated externally. Performed additional
interoperability testing successfully using same test parameters as
previously.
** Merge proposal linked:
https://code.launchpad.net/~j-latten/ubuntu/+source/openvpn/+git/openvpn/+merge/361583
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1807439
Title:
openvpn
** Merge proposal linked:
https://code.launchpad.net/~j-latten/ubuntu/+source/openvpn/+git/openvpn/+merge/361583
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439
Title:
openvpn crashes
** Also affects: openvpn (Ubuntu Cosmic)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439
Title:
openvpn crashes when run with fips openssl
To
** Also affects: openvpn (Ubuntu Cosmic)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1807439
Title:
openvpn crashes when run with fips
Thanks for all this testing!
Could you please convert the debdiffs into actual merge proposals
against openvpn? It's easier to review.
For example, the dep3 header in the xenial patch:
+Description: Use FIPS algos in openvpn
+Bug-Ubuntu:
+Forwarded: not-needed
+Author: Stephan Mueller
+---
Thanks for all this testing!
Could you please convert the debdiffs into actual merge proposals
against openvpn? It's easier to review.
For example, the dep3 header in the xenial patch:
+Description: Use FIPS algos in openvpn
+Bug-Ubuntu:
+Forwarded: not-needed
+Author: Stephan Mueller
+---
Taking a look
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439
Title:
openvpn crashes when run with fips openssl
To manage notifications about this bug go to:
Taking a look
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1807439
Title:
openvpn crashes when run with fips openssl
To manage notifications about this bug go to:
** Changed in: openvpn (Ubuntu Bionic)
Status: Incomplete => New
** Changed in: openvpn (Ubuntu Xenial)
Status: Incomplete => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439
** Description changed:
[IMPACT]
openvpn when estabishing a tls connection will segfault when used with
Ubuntu's FIPS 140-2 libcrypto.so (openssl).
- openvpn tls connection does TLS PRF(pseudorandom function) to produce
securely generated pseudo random output that is used to generate
2 testcases using same parameters for prior testcases, except that
installed FIPS-mode libcrypto.so to test and ensure FIPS-mode
libcrypto.so honors the flag to allow MD5 in PRF and does not cause
openvpn to segfault because MD5 is missing.
** Attachment added: "testcase-data-fips"
The xenial patch has additional code. In version 2.3.10, openvpn uses
MD5 for PRF and internally for configuration status verification. FIPS
140-2 permits MD5 for PRF, but not as a hash for internal verification.
Subsequent versions of openvpn (2.4) was changed upstream to not use
MD5, instead
** Attachment added: "debdiff.bionic"
https://bugs.launchpad.net/ubuntu/xenial/+source/openvpn/+bug/1807439/+attachment/5222054/+files/debdiff.bionic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
build log for xenial:
https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/15743720
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439
Title:
openvpn crashes when run with fips openssl
build log for bionic:
https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/15743676
** Also affects: openvpn (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: openvpn (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: openvpn (Ubuntu
Hi Christian,
Hopefully the testcase-data file follows what you described. If not, let
me know and I can reorganize it for improved readability.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439
** Attachment added: "debdiff.disco"
https://bugs.launchpad.net/ubuntu/disco/+source/openvpn/+bug/1807439/+attachment/5222037/+files/debdiff.disco
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Attachment removed: "debdiff for disco"
https://bugs.launchpad.net/ubuntu/disco/+source/openvpn/+bug/1807439/+attachment/5222035/+files/debdiff.disco
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
testcase-data contains some of the data produces as a result of
interoperability testing. It is applicable to xenial, bionic and disco.
** Attachment added: "testcase-data"
https://bugs.launchpad.net/ubuntu/disco/+source/openvpn/+bug/1807439/+attachment/5222036/+files/testcase-data
--
You
build log for disco:
https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/15743680
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439
Title:
openvpn crashes when run with fips openssl
debdiff.disco
** Attachment added: "debdiff for disco"
https://bugs.launchpad.net/ubuntu/disco/+source/openvpn/+bug/1807439/+attachment/5222035/+files/debdiff.disco
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Thanks for the first update, when you attach the rest of the test data please
make sure to not only add words like "comprised establishing a tls connection
between an openvpn client and server" but more like:
#1 fresh container
$ command 1
$ command 2
--
You received this bug notification
** Description changed:
- FIPS 140-2 does not permit MD5 except when used for pseudorandom
- function (PRF). When openvpn requests MD5 operation to FIPS-mode-
- openssl, since it is not allowed in general, fips-mode-openssl goes into
- an error state.
+ [IMPACT]
+ openvpn when estabishing a tls
Checked on IRC, there are debdiff, testing data, etc...
Please set back to new once that was made available.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439
Title:
openvpn crashes when run
Hi,
I'm really unsure what the expectation here is now.
This does not contain steps to reproduce the issue nor any suggested changes to
make it work better.
Both would be needed.
Also is this actually the code in the main archive or any FIPS special
PPA?
** Changed in: openvpn (Ubuntu Disco)
51 matches
Mail list logo
