On Wed, Jul 24, 2019 at 7:20 AM Jan Just Keijser <janj...@nikhef.nl> wrote:
> just tried this on a "plain" CentOS 7 box and I am not seeing any seg > faults upon client-connect; this is with the EPEL version of OpenVPN 2.4.7. > > Correct, after running the following commands on the host where OpenVPN was segfaulting, it appears to have disabled FIPS system wide thereby allowing both the EPEL and the built from source version to work fine: yum remove dracut-fips\* dracut --force grubby --update-kernel=ALL --remove-args=fips=1 sed -i 's/ fips=1//' /etc/default/grub > The openssl library on RHEL/CentOS 7 is indeed FIPS compliant, but FIPS > mode still needs to be explicitly enabled inside an application, usually > using FIPS_mode_set(). > You can check whether your version of OpenVPN has been patched to do this > by running: > > # objdump -tT /usr/sbin/openvpn | grep FIPS > > ( no output, meaning no FIPS calls ) > > In contrast to: > > # objdump -tT /usr/bin/openssl | grep FIPS > 0000000000000000 DF *UND* 0000000000000000 libcrypto.so.10 > FIPS_mode > 0000000000000000 DF *UND* 0000000000000000 libcrypto.so.10 > FIPS_mode_set > > This is exactly what I see on my system whereas Openvpn does not return FIPS calls but Openssl does. Interestingly enough though, on both the original system where I disabled FIPS and a new system which has FIPS enabled, Openssl still returns FIPS calls but I assume they are not being enforced on the system where they were disabled. After skimming through [1-5] below, I was able to take [2], remove the relevant fipsld bits, build and successful run OpenVPN on the FIPS enabled image using $ sudo ~/openvpn-2.4.7/src/openvpn/openvpn --enable-fips-mode --config /etc/openvpn/server/server.conf I understand this may not be FIPS compliant since I am not building against the OpenSSL-FIPS package but it does allow OpenVPN to run on the FIPS image referenced in this thread. Ultimately not a great solution for me as I would prefer to leverage upstream repos verse building upon every new release but it does work. Hope a patch makes it into OpenVPN! [1] https://bugzilla.redhat.com/attachment.cgi?id=1193087 [2] https://github.com/iamjohnnym/openvpn-fips/blob/master/openvpn-fips.patch [3] https://community.openvpn.net/openvpn/ticket/725 [4] https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13620.html
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
