Re: [Openvpn-devel] Enable FIPS encryption

[boxartst]

 I think in order to activate FIPS mode in openvpn we need not only to build it 
against fips capable openssl, but also  call FIPS_mode_set() function inside 
openvpn code. I'm guessing fips mode activation in the kernel in case of RHEL 
means that all services and applications in the system would operate in fips 
mode (although I'm not absolutely sure). But what about other distributions 
like ubuntu? I don't see the way to activate fips mode system wide. I'm saying 
all this because it seems to me that we need to call fips mode set function 
inside openvpn code.  The user 
guide(https://www.openssl.org/docs/fips/UserGuide-2.0.pdf) says this: 
"Somewhere very early in the execution of the application FIPS mode must be 
enabled. This should be done by invocation of the FIPS_mode_set() function 
call"  (see section 5 if interested). So I don't think simply building openvpn 
with fips capable openssl would be enough to say openvpn is functioning in fips 
mode as we need to enable fips mode inside the code. David, I understand that 
calling fips mode function would break openvpn because it depends on some 
algorithms not fips approved. When could be expected to see a patch that would 
allow to enable fips mode in openvpn without breaking it?

02.12.2016, 16:28, "David Sommerseth" :
> On 02/12/16 13:55, debbie10t wrote:
>>  Hi,
>>
>>  On 02/12/16 10:32, boxar...@yandex.ru wrote:
>>>  Hi!
>>>
>>>  I would like to know if it's possible to enable fips enabled encryption on 
>>> my vpn server?
>>>  Here is a link to fips user guide 
>>> https://www.openssl.org/docs/fips/UserGuide-2.0.pdf .
>>>  It looks like I'd have to change source code and compile it myself to make 
>>> it FIPS compliant.
>>>  Any help or advice would be very much appreciated.
>>
>>  Without very much effort it is possible to build openvpn with openssl
>>  FIPS support on CentOS7:
>>
>>  OpenVPN 2.4_beta2 [git:master/1c587a1112220618+]
>>  x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL]
>>  [MH/PKTINFO] [AEAD] built on Dec 1 2016
>>  library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
>>
>>  OpenSSL 1.0.1e-fips appears to be the default openssl developer library
>>  in CentOS7.
>>
>>  I do not know enough about FIPS certification to advise if *only* this
>>  change is sufficient to cover you for real world certification.
>
> This is partially right. But the system is at this point not in FIPS
> mode, so the hardening FIPS provides is still not active. You need to
> reboot the system into FIPS mode, which then disables several algorithms
> in OpenSSL which OpenVPN depends on - which makes OpenVPN fail.
>
> For more info:
> 
>
> --
> kind regards,
>
> David Sommerseth
> OpenVPN Technologies, Inc
>
> ,
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ,
>
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Correctly state the default dhcp server address in man page

[Selva Nair]

Also correct the default ifconfig-pool end in docs and comments

Signed-off-by: Selva Nair 
---
 doc/openvpn.8| 4 ++--
 src/openvpn/helper.c | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index e61b6bb..290a441 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2793,7 +2793,7 @@ expands as follows:
  if dev tap OR (dev tun AND topology == subnet):
ifconfig 10.8.0.1 255.255.255.0
if !nopool:
- ifconfig\-pool 10.8.0.2 10.8.0.254 255.255.255.0
+ ifconfig\-pool 10.8.0.2 10.8.0.253 255.255.255.0
push "route\-gateway 10.8.0.1"
if route\-gateway unset:
  route\-gateway 10.8.0.2
@@ -5594,7 +5594,7 @@ virtual DHCP server address.  In
 .B \-\-dev tun
 mode, OpenVPN will cause the DHCP server to masquerade as if it were
 coming from the remote endpoint.  The optional offset parameter is
-an integer which is > \-256 and < 256 and which defaults to 0.
+an integer which is > \-256 and < 256 and which defaults to -1.
 If offset is positive, the DHCP server will masquerade as the IP
 address at network address + offset.
 If offset is negative, the DHCP server will masquerade as the IP
diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index 229523d..319c716 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -228,7 +228,7 @@ helper_client_server (struct options *o)
* if tap OR (tun AND topology == subnet):
*   ifconfig 10.8.0.1 255.255.255.0
*   if !nopool: 
-   * ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0
+   * ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0
*   push "route-gateway 10.8.0.1"
*   if route-gateway unset:
* route-gateway 10.8.0.2
-- 
2.1.4


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Enable FIPS encryption

[Илья Шипицин]

2016-12-02 17:55 GMT+05:00 debbie10t :

> Hi,
>
> On 02/12/16 10:32, boxar...@yandex.ru wrote:
> > Hi!
> >
> > I would like to know if it's possible to enable fips  enabled encryption
> on my vpn server?
> > Here is a link to fips user guide https://www.openssl.org/docs/
> fips/UserGuide-2.0.pdf .
> > It looks like I'd have to change source code and compile it myself to
> make it FIPS compliant.
> > Any help or advice would be very much appreciated.
> >
>
> Without very much effort it is possible to build openvpn with openssl
> FIPS support on CentOS7:
>
> OpenVPN 2.4_beta2 [git:master/1c587a1112220618+]
> x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL]
> [MH/PKTINFO] [AEAD] built on Dec  1 2016
> library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
>
> OpenSSL 1.0.1e-fips appears to be the default openssl developer library
> in CentOS7.
>
> I do not know enough about FIPS certification to advise if *only* this
> change is sufficient to cover you for real world certification.
>

since we build openssl ourselves in travis-ci, should we add "openssl fips"
to travis-ci build matrix ?

I guess "just build" is not proper testing.
and, as already said here, at least MD5 will become unavailable in fips mode


>
> Regards
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Enable FIPS encryption

[David Sommerseth]

On 02/12/16 13:55, debbie10t wrote:
> Hi,
> 
> On 02/12/16 10:32, boxar...@yandex.ru wrote:
>> Hi!
>>
>> I would like to know if it's possible to enable fips  enabled encryption on 
>> my vpn server?
>> Here is a link to fips user guide 
>> https://www.openssl.org/docs/fips/UserGuide-2.0.pdf .
>> It looks like I'd have to change source code and compile it myself to make 
>> it FIPS compliant.
>> Any help or advice would be very much appreciated.
>>
> 
> Without very much effort it is possible to build openvpn with openssl
> FIPS support on CentOS7:
> 
> OpenVPN 2.4_beta2 [git:master/1c587a1112220618+] 
> x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] 
> [MH/PKTINFO] [AEAD] built on Dec  1 2016
> library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
> 
> OpenSSL 1.0.1e-fips appears to be the default openssl developer library
> in CentOS7.
> 
> I do not know enough about FIPS certification to advise if *only* this
> change is sufficient to cover you for real world certification.

This is partially right.  But the system is at this point not in FIPS
mode, so the hardening FIPS provides is still not active.  You need to
reboot the system into FIPS mode, which then disables several algorithms
in OpenSSL which OpenVPN depends on - which makes OpenVPN fail.

For more info:



-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Do not restart dns client service as a part of --register-dns processing

[Selva Nair]

On Fri, Dec 2, 2016 at 6:28 AM, Gert Doering  wrote:

> On Thu, Dec 01, 2016 at 05:25:49PM -0500, Selva Nair wrote:
> > Do we want this in 2.3.14 as well ? If so I'll send a patch with service
> > part removed (note to self: remember to include docs and Changes.rst
> edits)
>
> My gut feeling is "leave 2.3 as it is, this could actually be *necessary*
> on XP".
>
> We're so close to 2.4 release that telling windows users that run into
> this issue to "just upgrade to 2.4, it will no longer restart dnscache
> *and* brings lots of more goodness anyway!" can be done with good faith.


Agreed. Also, on further thought, 2.3 needs to run openvpn as admin, so
replacing --register-dns with a script is a viable option for those who do
not want dns service restart.

Selva
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Enable FIPS encryption

[debbie10t]

Hi,

On 02/12/16 10:32, boxar...@yandex.ru wrote:
> Hi!
>
> I would like to know if it's possible to enable fips  enabled encryption on 
> my vpn server?
> Here is a link to fips user guide 
> https://www.openssl.org/docs/fips/UserGuide-2.0.pdf .
> It looks like I'd have to change source code and compile it myself to make it 
> FIPS compliant.
> Any help or advice would be very much appreciated.
>

Without very much effort it is possible to build openvpn with openssl
FIPS support on CentOS7:

OpenVPN 2.4_beta2 [git:master/1c587a1112220618+] 
x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] 
[MH/PKTINFO] [AEAD] built on Dec  1 2016
library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06

OpenSSL 1.0.1e-fips appears to be the default openssl developer library
in CentOS7.

I do not know enough about FIPS certification to advise if *only* this
change is sufficient to cover you for real world certification.

Regards

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Enable FIPS encryption

[David Sommerseth]

On 02/12/16 11:32, boxar...@yandex.ru wrote:
> Hi!
> 
> I would like to know if it's possible to enable fips  enabled encryption on 
> my vpn server? 
> Here is a link to fips user guide 
> https://www.openssl.org/docs/fips/UserGuide-2.0.pdf .
> It looks like I'd have to change source code and compile it myself to make it 
> FIPS compliant. 
> Any help or advice would be very much appreciated. 
> 
> Thanks,
> Artem


OpenVPN needs to be adopted to be useful in FIPS mode.  We are tracking
this issue in trac ticket #725.

http://community.openvpn.net/openvpn/ticket/725



-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Do not restart dns client service as a part of --register-dns processing

[Gert Doering]

Hi,

On Thu, Dec 01, 2016 at 05:25:49PM -0500, Selva Nair wrote:
> Do we want this in 2.3.14 as well ? If so I'll send a patch with service
> part removed (note to self: remember to include docs and Changes.rst edits)

My gut feeling is "leave 2.3 as it is, this could actually be *necessary* 
on XP".

We're so close to 2.4 release that telling windows users that run into
this issue to "just upgrade to 2.4, it will no longer restart dnscache
*and* brings lots of more goodness anyway!" can be done with good faith.

It's not like we've had tons of bug reports about that so far...

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Enable FIPS encryption

[boxartst]

Hi!

I would like to know if it's possible to enable fips  enabled encryption on my 
vpn server? 
Here is a link to fips user guide 
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf .
It looks like I'd have to change source code and compile it myself to make it 
FIPS compliant. 
Any help or advice would be very much appreciated. 

Thanks,
Artem

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2 2/2] Refuse to daemonize when running from systemd

[David Sommerseth]

On 02/12/16 02:45, debbie10t wrote:
[...snip...]
> My east.conf file:
> 
> # cat server/east.conf
> 
> ### TESTS
> #
> ## systemd enhancements: failed as expect
> ;bad-opt
> 
> ## daemon: Did *not* fail when run from systemd service
> daemon vpn-srv-east

This is just as expected.  Having --daemon in the config should not
cause any failure.  It should just drop trying to daemonize if it is
detected that OpenVPN is started via systemd.

Look at init.c:930, possibly_become_daemon()

If sd_notify() returns a value > 0, then OpenVPN is started via
systemctl - as sd_notify() have a communication channel with the service
manager, and it will not try to daemonize.

If sd_notify() returns 0, it means it don't know how to communicate with
the service manager.  And < 0, it means something bad happened.  In both
these cases, openvpn will daemonize as if it was not managed by systemd
at all.

So your test showed that this worked just as expected :)


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] OpenVPN 2.4_rc1 released

[Samuli Seppänen]

The OpenVPN community project team is proud to release OpenVPN 2.4_rc1. 
It can be downloaded from here:



This release includes several smaller fixes and improvements. A summary 
of these changes is available here:



A full list of changes is available here.



For generic help use these support channels:

Official documentation: 

Wiki: 
Forums: 
User mailing list: 
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: 
Developer mailing list: 
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires 
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel