On 18/08/2021 23:33, Arne Schwabe wrote:
OpenSSL on RHEL 8 and CentOS 8 system when these system are put into FIPS mode need extra code to figure out if a specific cipher algorithm is usable on these system. This is particularly problem in data-ciphers as the errors might occur much later when a client connects and as these cipher are not caught during config initialisation.This also prepares for adding Chacha20-Poly1305 when available to data-ciphers by making the detection logic used to check if cipher_kt_get returns non-NULL work on these systems. Signed-off-by: Arne Schwabe <a...@rfc2549.org> --- src/openvpn/crypto.c | 6 ++++++ src/openvpn/crypto_openssl.c | 10 ++++++++++ 2 files changed, 16 insertions(+)
I've Looked at the code, built it on a RHEL-8.4 box with FIPS enabled and tested the binary with FIPS both enabled and disabled. It works smoothly there.
The OPENSSL_FIPS macro is defined in /usr/include/openssl/opensslconf-x86_64.h. So is handled outside of OpenVPN, and without that macro we don't need to be concerned about the FIPS_mode() function.
As mentioned in the community developer meeting today, there are some concerns about the recently released OpenSSL 3.0 and FIPS - but lets tackle that further down the road once we have distributions with the latest OpenSSL library more easily available.
The bottom line is ... Acked-By: David Sommerseth <dav...@openvpn.net> -- kind regards, David Sommerseth OpenVPN Inc
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel