Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2016-09-16 11:01:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openvpn" Changes: -------- --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2016-06-07 23:48:42.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2016-09-16 11:01:44.000000000 +0200 @@ -1,0 +2,8 @@ +Thu Sep 8 13:26:16 UTC 2016 - [email protected] + +- Add an example for a FIPS 140-2 approved cipher configuration to + the sample configuration files. Fixes bsc#988522 + adding openvpn-fips140-AES-cipher-in-config-template.patch +- remove gpg-offline signature verification, now a source service + +------------------------------------------------------------------- New: ---- openvpn-fips140-AES-cipher-in-config-template.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openvpn.spec ++++++ --- /var/tmp/diff_new_pack.zI3Rao/_old 2016-09-16 11:01:46.000000000 +0200 +++ /var/tmp/diff_new_pack.zI3Rao/_new 2016-09-16 11:01:46.000000000 +0200 @@ -52,8 +52,8 @@ Patch1: %{name}-2.3-plugin-man.dif Patch5: %{name}-2.3.0-man-dot.diff Patch6: %{name}-fips140-2.3.2.patch +Patch7: openvpn-fips140-AES-cipher-in-config-template.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildRequires: gpg-offline BuildRequires: iproute2 BuildRequires: lzo-devel BuildRequires: openssl-devel @@ -133,11 +133,11 @@ This package provides the header file to build external plugins. %prep -%gpg_verify %{S:1} %setup -q -n %{name}-%{version} %patch1 -p0 %patch5 -p0 %patch6 -p1 +%patch7 -p1 sed -e "s|\" __DATE__|$(date '+%b %e %Y' -r version.m4)\"|g" \ -i src/openvpn/options.c ++++++ openvpn-fips140-AES-cipher-in-config-template.patch ++++++ From: Andreas Stieger <[email protected]> Date: Thu, 08 Sep 2016 15:23:12 +0200 Subject: Add an example for a FIPS 140-2 approved cipher configuration to the sample configuration file References: bsc#988522 https://github.com/OpenVPN/openvpn/commit/bde1b90da0db2d68d13d274102986f0ca7096c00 Upstream: no The 2.3 default is blowfish which does not work in FIPS mode. This change was done in 2.4, and 2.4 will negotiate AES-256-GCM in TLS mode. Index: openvpn-2.3.8/sample/sample-config-files/client.conf =================================================================== --- openvpn-2.3.8.orig/sample/sample-config-files/client.conf 2015-07-17 07:43:32.000000000 +0200 +++ openvpn-2.3.8/sample/sample-config-files/client.conf 2016-09-08 15:12:32.650248879 +0200 @@ -111,6 +111,8 @@ remote-cert-tls server # If the cipher option is used on the server # then you must also specify it here. ;cipher x +# Use a FIPS 140-2 approved cipher in FIPS mode +;cipher AES-256-CBC # AES-256 # Enable compression on the VPN link. # Don't enable this unless it is also Index: openvpn-2.3.8/sample/sample-config-files/server.conf =================================================================== --- openvpn-2.3.8.orig/sample/sample-config-files/server.conf 2015-07-17 07:43:32.000000000 +0200 +++ openvpn-2.3.8/sample/sample-config-files/server.conf 2016-09-08 15:11:55.869874892 +0200 @@ -249,6 +249,8 @@ keepalive 10 120 ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES +# Use a FIPS 140-2 approved cipher in FIPS mode +;cipher AES-256-CBC # AES-256 # Enable compression on the VPN link. # If you enable it here, you must also
