> 
> IMO, this idea that OpenSSL folks have that just adding a "fips=yes"
> plus a few lines in the config can make the application FIPS enabled is
> far-fetched. In reality OpenVPN will have to be recompiled with some
> changes to make it FIPS compliant. At that point one can also change
> what providers are loaded by default.

There is a wide range between completely fully FIPS compliant and
non-FIPS compliant. Especially on Red Hat Enterprise, you can set the
system to a FIPS mode where OpenSSL stops offering non FIPS algorithms
and also other crypto libraries do not do non-FIPS algorithms anymore.

And I put some effort into making OpenVPN still behave nicely in those
situations. It is not really compliant/certified per se but for a lot of
customers that is "good enough".

The "fips=yes" is similiar I think. It is "good enough" for many people.

> I was thinking of having a load_providers() function called early -- say
> in options-post-process stage where we load

This commit already loads them as early as possible after parsing
options if the option is enabled.

> 
> (i) default provider
> (ii) providers specified in --providers option
> 
> This adds much certainty to what is available. A FIPS-enabled OpenVPN
> can change this or we could have a --fips option that changes this. No
> dependency on system-wide config file and those who need legacy only
> need to just specify "--providers legacy"
> 
> In addition, one could automatically load "legacy" if any of the options
> indicate its need -- like NTLM auth for proxy or BF-CBC in
> --data-ciphers etc. In situations where it cannot be inferred from
> options, user will have to use --providers legacy, though.
> 
> It may be necessary to call this load_providers() also to process
> options like --show-ciphers and similar.

No. I am actually against loading legacy on demand or loading the
default provider if --provider is not specified. Often there are system
wide security defaults in place and I don't think OpenVPN should
override them unless explicitly instructed to do so.

Especially in the Red Hat Enterprise 9 or whatever will have OpenSSL 3.0
I would expect in fips mode to switch to a global config of OpenSSL that
uses the FIPS provider instead of default. And I don't want to break
that by loading default.

Arne


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to