> > IMO, this idea that OpenSSL folks have that just adding a "fips=yes" > plus a few lines in the config can make the application FIPS enabled is > far-fetched. In reality OpenVPN will have to be recompiled with some > changes to make it FIPS compliant. At that point one can also change > what providers are loaded by default.
There is a wide range between completely fully FIPS compliant and non-FIPS compliant. Especially on Red Hat Enterprise, you can set the system to a FIPS mode where OpenSSL stops offering non FIPS algorithms and also other crypto libraries do not do non-FIPS algorithms anymore. And I put some effort into making OpenVPN still behave nicely in those situations. It is not really compliant/certified per se but for a lot of customers that is "good enough". The "fips=yes" is similiar I think. It is "good enough" for many people. > I was thinking of having a load_providers() function called early -- say > in options-post-process stage where we load This commit already loads them as early as possible after parsing options if the option is enabled. > > (i) default provider > (ii) providers specified in --providers option > > This adds much certainty to what is available. A FIPS-enabled OpenVPN > can change this or we could have a --fips option that changes this. No > dependency on system-wide config file and those who need legacy only > need to just specify "--providers legacy" > > In addition, one could automatically load "legacy" if any of the options > indicate its need -- like NTLM auth for proxy or BF-CBC in > --data-ciphers etc. In situations where it cannot be inferred from > options, user will have to use --providers legacy, though. > > It may be necessary to call this load_providers() also to process > options like --show-ciphers and similar. No. I am actually against loading legacy on demand or loading the default provider if --provider is not specified. Often there are system wide security defaults in place and I don't think OpenVPN should override them unless explicitly instructed to do so. Especially in the Red Hat Enterprise 9 or whatever will have OpenSSL 3.0 I would expect in fips mode to switch to a global config of OpenSSL that uses the FIPS provider instead of default. And I don't want to break that by loading default. Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel