** Description changed: When fips-preview is enabled in a Jammy server running openvpn --show- ciphers returns nothing. This is caused by openvpn not loading the FIPS OpenSSL provider. This actually works fine upstream but was broken by a previous ubuntu patch that re-enables some algorithms that where moved to the legacy provider by OpenSSL 3.0. + + [Impact] + When fips-preview is enabled in a Jammy server running openvpn --show-ciphers returns nothing. This is caused by openvpn not loading the FIPS OpenSSL provider. This actually works fine upstream but was broken by a previous ubuntu patch that re-enables some algorithms that where moved to the legacy provider by OpenSSL 3.0. + + [Test Plan] + The bug can be reproducer by just running: + + openvpn --show-ciphers + + The non-patched version returns no algorithms and the patched version + should include a list of cipher algorithms like this: + + AES-128-CBC (128 bit key, 128 bit block) + AES-128-CFB (128 bit key, 128 bit block, TLS client/server mode only) + AES-128-CFB1 (128 bit key, 128 bit block, TLS client/server mode only) + AES-128-CFB8 (128 bit key, 128 bit block, TLS client/server mode only) + AES-128-GCM (128 bit key, 128 bit block, TLS client/server mode only) + AES-128-OFB (128 bit key, 128 bit block, TLS client/server mode only) + ... + + [Where problems could occur] + If the FIPS provider is not present (like on non FIPS hardened servers) the provider variable is NULL. That might generate some issues although I have seen no problems.
** Description changed: - When fips-preview is enabled in a Jammy server running openvpn --show- - ciphers returns nothing. This is caused by openvpn not loading the FIPS - OpenSSL provider. This actually works fine upstream but was broken by a - previous ubuntu patch that re-enables some algorithms that where moved - to the legacy provider by OpenSSL 3.0. - [Impact] When fips-preview is enabled in a Jammy server running openvpn --show-ciphers returns nothing. This is caused by openvpn not loading the FIPS OpenSSL provider. This actually works fine upstream but was broken by a previous ubuntu patch that re-enables some algorithms that where moved to the legacy provider by OpenSSL 3.0. - [Test Plan] + [Test Plan] The bug can be reproducer by just running: openvpn --show-ciphers The non-patched version returns no algorithms and the patched version should include a list of cipher algorithms like this: AES-128-CBC (128 bit key, 128 bit block) AES-128-CFB (128 bit key, 128 bit block, TLS client/server mode only) AES-128-CFB1 (128 bit key, 128 bit block, TLS client/server mode only) AES-128-CFB8 (128 bit key, 128 bit block, TLS client/server mode only) AES-128-GCM (128 bit key, 128 bit block, TLS client/server mode only) - AES-128-OFB (128 bit key, 128 bit block, TLS client/server mode only) + AES-128-OFB (128 bit key, 128 bit block, TLS client/server mode only) ... [Where problems could occur] If the FIPS provider is not present (like on non FIPS hardened servers) the provider variable is NULL. That might generate some issues although I have seen no problems. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2077769 Title: fips-preview break openvpn ciphers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2077769/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
