** Description changed: [Impact] When fips-preview is enabled in a Jammy server running openvpn --show-ciphers returns no algorithms. This is caused by openvpn not loading the FIPS OpenSSL provider. This actually works fine upstream but was broken by a previous ubuntu patch that re-enables some algorithms that where moved to the legacy provider by OpenSSL 3.0. [Test Plan] The bug can be reproduced by just running: openvpn --show-ciphers The non-patched version returns no algorithms and the patched version should include a list of cipher algorithms like this: AES-128-CBC (128 bit key, 128 bit block) AES-128-CFB (128 bit key, 128 bit block, TLS client/server mode only) AES-128-CFB1 (128 bit key, 128 bit block, TLS client/server mode only) AES-128-CFB8 (128 bit key, 128 bit block, TLS client/server mode only) AES-128-GCM (128 bit key, 128 bit block, TLS client/server mode only) AES-128-OFB (128 bit key, 128 bit block, TLS client/server mode only) ... + To make sure no regressions are introduced we can create two VMs and + test a VPN connection between them both with and without FIPS enabled. + + Non-fips case: + + Install server VM: + + sudo apt install -y openvpn easy-rsa + sudo make-cadir /etc/openvpn/easy-rsa + sudo -i + cd /etc/openvpn/easy-rsa + ./easyrsa init-pki + ./easyrsa build-ca nopass + # accept default value for parameter + ./easyrsa gen-req myserver nopass + # accept default value for parameter + ./easyrsa gen-dh + ./easyrsa sign-req server myserver + # type yes + cp pki/dh.pem pki/ca.crt pki/issued/myserver.crt pki/private/myserver.key /etc/openvpn + ./easyrsa gen-req myclient nopass + # accept default value for parameter + ./easyrsa sign-req client myclient + # type yes + scp pki/ca.crt pki/issued/myclient.crt pki/private/myclient.key <user>@<client_address> + cd /etc/openvpn + openvpn --genkey secret ta.key + scp ta.key <user>@<client_address> + cat > server.conf <<EOL + port 1194 + proto udp + dev tun + ca ca.crt + cert myserver.crt + key myserver.key + dh dh.pem + topology subnet + server 10.8.0.0 255.255.255.0 + ifconfig-pool-persist /var/log/openvpn/ipp.txt + keepalive 10 120 + tls-auth ta.key 0 + cipher DES-CBC # old deprecated algorithm + persist-key + persist-tun + status /var/log/openvpn/openvpn-status.log + explicit-exit-notify 1 + EOL + systemctl start openvpn@server + + + Install client VM: + + sudo apt install -y openvpn + sudo cp myclient.crt ca.crt ta.key myclient.key /etc/openvpn + # these files where copied from the server + sudo -i + # replace <server_ip> for the server IP in the following command + cat > /etc/openvpn/client.conf <<EOL + client + dev tun + proto udp + remote <server_ip> 1194 + nobind + persist-key + persist-tun + ca ca.crt + cert myclient.crt + key myclient.key + remote-cert-tls server + tls-auth ta.key 1 + cipher DES-CBC # old deprecated algorithm + EOL + systemctl start openvpn@client + + After installing and starting openvpn both client and server should have + a tun0 interface. It should be possible to ping the server interface + from the client: + + ping 10.8.0.1 + + And from the server ping the client interface: + + ping 10.8.0.2 + + + Fips case: + + Install server VM: + + sudo pro attach <token> + sudo pro enable fips-updates + sudo apt install -y openvpn easy-rsa + sudo make-cadir /etc/openvpn/easy-rsa + sudo -i + cd /etc/openvpn/easy-rsa + ./easyrsa init-pki + ./easyrsa build-ca nopass + # accept default value for parameter + ./easyrsa gen-req myserver nopass + # accept default value for parameter + ./easyrsa gen-dh + ./easyrsa sign-req server myserver + # type yes + cp pki/dh.pem pki/ca.crt pki/issued/myserver.crt pki/private/myserver.key /etc/openvpn + ./easyrsa gen-req myclient nopass + # accept default value for parameter + ./easyrsa sign-req client myclient + # type yes + scp pki/ca.crt pki/issued/myclient.crt pki/private/myclient.key <user>@<client_address> + cd /etc/openvpn + openvpn --genkey secret ta.key + scp ta.key <user>@<client_address> + cat > server.conf <<EOL + port 1194 + proto udp + dev tun + ca ca.crt + cert myserver.crt + key myserver.key + dh dh.pem + topology subnet + server 10.8.0.0 255.255.255.0 + ifconfig-pool-persist /var/log/openvpn/ipp.txt + keepalive 10 120 + tls-auth ta.key 0 + cipher AES-256-CBC # fips algorithm + persist-key + persist-tun + status /var/log/openvpn/openvpn-status.log + explicit-exit-notify 1 + EOL + systemctl start openvpn@server + + Install client VM: + + sudo pro attach <token> + sudo pro enable fips-updates + sudo apt install -y openvpn + sudo cp myclient.crt ca.crt ta.key myclient.key /etc/openvpn + # these files where copied from the server + sudo -i + # replace <server_ip> for the server IP in the following command + cat > /etc/openvpn/client.conf <<EOL + client + dev tun + proto udp + remote <server_ip> 1194 + nobind + persist-key + persist-tun + ca ca.crt + cert myclient.crt + key myclient.key + remote-cert-tls server + tls-auth ta.key 1 + cipher AES-256-CBC # fips algorithm + EOL + systemctl start openvpn@client + + After installing and starting openvpn both client and server should have + a tun0 interface. It should be possible to ping the server interface + from the client: + + ping 10.8.0.1 + + And from the server ping the client interface: + + ping 10.8.0.2 + [Where problems could occur] The function used to manually load openssl providers has been changed. This one has an extra parameter that can retain the fallback providers if not zero. This function is in fact called by the previously used function so it should not add extra risks. The legacy and default providers are still loaded anyway so worst case would be that the fallback is lost as before and the package would not work on FIPS systems. [Other Info] This applies only for Jammy as other versions do not have this patch.
** Description changed: [Impact] When fips-preview is enabled in a Jammy server running openvpn --show-ciphers returns no algorithms. This is caused by openvpn not loading the FIPS OpenSSL provider. This actually works fine upstream but was broken by a previous ubuntu patch that re-enables some algorithms that where moved to the legacy provider by OpenSSL 3.0. [Test Plan] The bug can be reproduced by just running: openvpn --show-ciphers The non-patched version returns no algorithms and the patched version should include a list of cipher algorithms like this: AES-128-CBC (128 bit key, 128 bit block) AES-128-CFB (128 bit key, 128 bit block, TLS client/server mode only) AES-128-CFB1 (128 bit key, 128 bit block, TLS client/server mode only) AES-128-CFB8 (128 bit key, 128 bit block, TLS client/server mode only) AES-128-GCM (128 bit key, 128 bit block, TLS client/server mode only) AES-128-OFB (128 bit key, 128 bit block, TLS client/server mode only) ... To make sure no regressions are introduced we can create two VMs and test a VPN connection between them both with and without FIPS enabled. + Non-fips case: Install server VM: sudo apt install -y openvpn easy-rsa sudo make-cadir /etc/openvpn/easy-rsa sudo -i cd /etc/openvpn/easy-rsa ./easyrsa init-pki ./easyrsa build-ca nopass # accept default value for parameter ./easyrsa gen-req myserver nopass # accept default value for parameter ./easyrsa gen-dh ./easyrsa sign-req server myserver # type yes cp pki/dh.pem pki/ca.crt pki/issued/myserver.crt pki/private/myserver.key /etc/openvpn ./easyrsa gen-req myclient nopass # accept default value for parameter ./easyrsa sign-req client myclient # type yes scp pki/ca.crt pki/issued/myclient.crt pki/private/myclient.key <user>@<client_address> cd /etc/openvpn openvpn --genkey secret ta.key scp ta.key <user>@<client_address> cat > server.conf <<EOL port 1194 proto udp dev tun ca ca.crt cert myserver.crt - key myserver.key + key myserver.key dh dh.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt keepalive 10 120 tls-auth ta.key 0 cipher DES-CBC # old deprecated algorithm persist-key persist-tun status /var/log/openvpn/openvpn-status.log explicit-exit-notify 1 EOL systemctl start openvpn@server - Install client VM: sudo apt install -y openvpn sudo cp myclient.crt ca.crt ta.key myclient.key /etc/openvpn # these files where copied from the server sudo -i # replace <server_ip> for the server IP in the following command cat > /etc/openvpn/client.conf <<EOL client dev tun proto udp remote <server_ip> 1194 nobind persist-key persist-tun ca ca.crt cert myclient.crt key myclient.key remote-cert-tls server tls-auth ta.key 1 cipher DES-CBC # old deprecated algorithm EOL systemctl start openvpn@client After installing and starting openvpn both client and server should have a tun0 interface. It should be possible to ping the server interface from the client: ping 10.8.0.1 And from the server ping the client interface: ping 10.8.0.2 - Fips case: Install server VM: sudo pro attach <token> sudo pro enable fips-updates sudo apt install -y openvpn easy-rsa sudo make-cadir /etc/openvpn/easy-rsa sudo -i cd /etc/openvpn/easy-rsa ./easyrsa init-pki ./easyrsa build-ca nopass # accept default value for parameter ./easyrsa gen-req myserver nopass # accept default value for parameter ./easyrsa gen-dh ./easyrsa sign-req server myserver # type yes cp pki/dh.pem pki/ca.crt pki/issued/myserver.crt pki/private/myserver.key /etc/openvpn ./easyrsa gen-req myclient nopass # accept default value for parameter ./easyrsa sign-req client myclient # type yes scp pki/ca.crt pki/issued/myclient.crt pki/private/myclient.key <user>@<client_address> cd /etc/openvpn - openvpn --genkey secret ta.key + openvpn --genkey secret ta.key scp ta.key <user>@<client_address> - cat > server.conf <<EOL + cat > server.conf <<EOL port 1194 proto udp dev tun ca ca.crt cert myserver.crt - key myserver.key + key myserver.key dh dh.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt keepalive 10 120 tls-auth ta.key 0 cipher AES-256-CBC # fips algorithm persist-key persist-tun status /var/log/openvpn/openvpn-status.log explicit-exit-notify 1 EOL systemctl start openvpn@server Install client VM: sudo pro attach <token> sudo pro enable fips-updates sudo apt install -y openvpn sudo cp myclient.crt ca.crt ta.key myclient.key /etc/openvpn # these files where copied from the server sudo -i # replace <server_ip> for the server IP in the following command - cat > /etc/openvpn/client.conf <<EOL + cat > /etc/openvpn/client.conf <<EOL client dev tun proto udp remote <server_ip> 1194 nobind persist-key persist-tun ca ca.crt cert myclient.crt key myclient.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC # fips algorithm EOL systemctl start openvpn@client After installing and starting openvpn both client and server should have a tun0 interface. It should be possible to ping the server interface from the client: ping 10.8.0.1 And from the server ping the client interface: ping 10.8.0.2 [Where problems could occur] The function used to manually load openssl providers has been changed. This one has an extra parameter that can retain the fallback providers if not zero. This function is in fact called by the previously used function so it should not add extra risks. The legacy and default providers are still loaded anyway so worst case would be that the fallback is lost as before and the package would not work on FIPS systems. [Other Info] This applies only for Jammy as other versions do not have this patch. ** Description changed: [Impact] When fips-preview is enabled in a Jammy server running openvpn --show-ciphers returns no algorithms. This is caused by openvpn not loading the FIPS OpenSSL provider. This actually works fine upstream but was broken by a previous ubuntu patch that re-enables some algorithms that where moved to the legacy provider by OpenSSL 3.0. [Test Plan] The bug can be reproduced by just running: openvpn --show-ciphers The non-patched version returns no algorithms and the patched version should include a list of cipher algorithms like this: AES-128-CBC (128 bit key, 128 bit block) AES-128-CFB (128 bit key, 128 bit block, TLS client/server mode only) AES-128-CFB1 (128 bit key, 128 bit block, TLS client/server mode only) AES-128-CFB8 (128 bit key, 128 bit block, TLS client/server mode only) AES-128-GCM (128 bit key, 128 bit block, TLS client/server mode only) AES-128-OFB (128 bit key, 128 bit block, TLS client/server mode only) ... To make sure no regressions are introduced we can create two VMs and test a VPN connection between them both with and without FIPS enabled. - + For the non-FIPS case we will use a legacy cipher that is not supported + in FIPS. The path to enable this legacy algorithms is the one that + breaks FIPS in the first place. Non-fips case: Install server VM: sudo apt install -y openvpn easy-rsa sudo make-cadir /etc/openvpn/easy-rsa sudo -i cd /etc/openvpn/easy-rsa ./easyrsa init-pki ./easyrsa build-ca nopass # accept default value for parameter ./easyrsa gen-req myserver nopass # accept default value for parameter ./easyrsa gen-dh ./easyrsa sign-req server myserver # type yes cp pki/dh.pem pki/ca.crt pki/issued/myserver.crt pki/private/myserver.key /etc/openvpn ./easyrsa gen-req myclient nopass # accept default value for parameter ./easyrsa sign-req client myclient # type yes scp pki/ca.crt pki/issued/myclient.crt pki/private/myclient.key <user>@<client_address> cd /etc/openvpn openvpn --genkey secret ta.key scp ta.key <user>@<client_address> cat > server.conf <<EOL port 1194 proto udp dev tun ca ca.crt cert myserver.crt key myserver.key dh dh.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt keepalive 10 120 tls-auth ta.key 0 cipher DES-CBC # old deprecated algorithm persist-key persist-tun status /var/log/openvpn/openvpn-status.log explicit-exit-notify 1 EOL systemctl start openvpn@server Install client VM: sudo apt install -y openvpn sudo cp myclient.crt ca.crt ta.key myclient.key /etc/openvpn # these files where copied from the server sudo -i # replace <server_ip> for the server IP in the following command cat > /etc/openvpn/client.conf <<EOL client dev tun proto udp remote <server_ip> 1194 nobind persist-key persist-tun ca ca.crt cert myclient.crt key myclient.key remote-cert-tls server tls-auth ta.key 1 cipher DES-CBC # old deprecated algorithm EOL systemctl start openvpn@client After installing and starting openvpn both client and server should have a tun0 interface. It should be possible to ping the server interface from the client: ping 10.8.0.1 And from the server ping the client interface: ping 10.8.0.2 Fips case: Install server VM: sudo pro attach <token> sudo pro enable fips-updates sudo apt install -y openvpn easy-rsa sudo make-cadir /etc/openvpn/easy-rsa sudo -i cd /etc/openvpn/easy-rsa ./easyrsa init-pki ./easyrsa build-ca nopass # accept default value for parameter ./easyrsa gen-req myserver nopass # accept default value for parameter ./easyrsa gen-dh ./easyrsa sign-req server myserver # type yes cp pki/dh.pem pki/ca.crt pki/issued/myserver.crt pki/private/myserver.key /etc/openvpn ./easyrsa gen-req myclient nopass # accept default value for parameter ./easyrsa sign-req client myclient # type yes scp pki/ca.crt pki/issued/myclient.crt pki/private/myclient.key <user>@<client_address> cd /etc/openvpn openvpn --genkey secret ta.key scp ta.key <user>@<client_address> cat > server.conf <<EOL port 1194 proto udp dev tun ca ca.crt cert myserver.crt key myserver.key dh dh.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt keepalive 10 120 tls-auth ta.key 0 cipher AES-256-CBC # fips algorithm persist-key persist-tun status /var/log/openvpn/openvpn-status.log explicit-exit-notify 1 EOL systemctl start openvpn@server Install client VM: sudo pro attach <token> sudo pro enable fips-updates sudo apt install -y openvpn sudo cp myclient.crt ca.crt ta.key myclient.key /etc/openvpn # these files where copied from the server sudo -i # replace <server_ip> for the server IP in the following command cat > /etc/openvpn/client.conf <<EOL client dev tun proto udp remote <server_ip> 1194 nobind persist-key persist-tun ca ca.crt cert myclient.crt key myclient.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC # fips algorithm EOL systemctl start openvpn@client After installing and starting openvpn both client and server should have a tun0 interface. It should be possible to ping the server interface from the client: ping 10.8.0.1 And from the server ping the client interface: ping 10.8.0.2 [Where problems could occur] The function used to manually load openssl providers has been changed. This one has an extra parameter that can retain the fallback providers if not zero. This function is in fact called by the previously used function so it should not add extra risks. The legacy and default providers are still loaded anyway so worst case would be that the fallback is lost as before and the package would not work on FIPS systems. [Other Info] This applies only for Jammy as other versions do not have this patch. ** Description changed: [Impact] When fips-preview is enabled in a Jammy server running openvpn --show-ciphers returns no algorithms. This is caused by openvpn not loading the FIPS OpenSSL provider. This actually works fine upstream but was broken by a previous ubuntu patch that re-enables some algorithms that where moved to the legacy provider by OpenSSL 3.0. [Test Plan] The bug can be reproduced by just running: openvpn --show-ciphers The non-patched version returns no algorithms and the patched version should include a list of cipher algorithms like this: AES-128-CBC (128 bit key, 128 bit block) AES-128-CFB (128 bit key, 128 bit block, TLS client/server mode only) AES-128-CFB1 (128 bit key, 128 bit block, TLS client/server mode only) AES-128-CFB8 (128 bit key, 128 bit block, TLS client/server mode only) AES-128-GCM (128 bit key, 128 bit block, TLS client/server mode only) AES-128-OFB (128 bit key, 128 bit block, TLS client/server mode only) ... To make sure no regressions are introduced we can create two VMs and test a VPN connection between them both with and without FIPS enabled. For the non-FIPS case we will use a legacy cipher that is not supported in FIPS. The path to enable this legacy algorithms is the one that breaks FIPS in the first place. Non-fips case: Install server VM: sudo apt install -y openvpn easy-rsa sudo make-cadir /etc/openvpn/easy-rsa sudo -i cd /etc/openvpn/easy-rsa ./easyrsa init-pki ./easyrsa build-ca nopass # accept default value for parameter ./easyrsa gen-req myserver nopass # accept default value for parameter ./easyrsa gen-dh ./easyrsa sign-req server myserver # type yes cp pki/dh.pem pki/ca.crt pki/issued/myserver.crt pki/private/myserver.key /etc/openvpn ./easyrsa gen-req myclient nopass # accept default value for parameter ./easyrsa sign-req client myclient # type yes scp pki/ca.crt pki/issued/myclient.crt pki/private/myclient.key <user>@<client_address> cd /etc/openvpn openvpn --genkey secret ta.key scp ta.key <user>@<client_address> cat > server.conf <<EOL port 1194 proto udp dev tun ca ca.crt cert myserver.crt key myserver.key dh dh.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt keepalive 10 120 tls-auth ta.key 0 cipher DES-CBC # old deprecated algorithm persist-key persist-tun status /var/log/openvpn/openvpn-status.log explicit-exit-notify 1 EOL systemctl start openvpn@server Install client VM: sudo apt install -y openvpn sudo cp myclient.crt ca.crt ta.key myclient.key /etc/openvpn # these files where copied from the server sudo -i # replace <server_ip> for the server IP in the following command cat > /etc/openvpn/client.conf <<EOL client dev tun proto udp remote <server_ip> 1194 nobind persist-key persist-tun ca ca.crt cert myclient.crt key myclient.key remote-cert-tls server tls-auth ta.key 1 cipher DES-CBC # old deprecated algorithm EOL systemctl start openvpn@client After installing and starting openvpn both client and server should have a tun0 interface. It should be possible to ping the server interface from the client: ping 10.8.0.1 And from the server ping the client interface: ping 10.8.0.2 Fips case: Install server VM: sudo pro attach <token> sudo pro enable fips-updates sudo apt install -y openvpn easy-rsa sudo make-cadir /etc/openvpn/easy-rsa sudo -i cd /etc/openvpn/easy-rsa ./easyrsa init-pki ./easyrsa build-ca nopass # accept default value for parameter ./easyrsa gen-req myserver nopass # accept default value for parameter ./easyrsa gen-dh ./easyrsa sign-req server myserver # type yes cp pki/dh.pem pki/ca.crt pki/issued/myserver.crt pki/private/myserver.key /etc/openvpn ./easyrsa gen-req myclient nopass # accept default value for parameter ./easyrsa sign-req client myclient # type yes scp pki/ca.crt pki/issued/myclient.crt pki/private/myclient.key <user>@<client_address> cd /etc/openvpn openvpn --genkey secret ta.key scp ta.key <user>@<client_address> cat > server.conf <<EOL port 1194 proto udp dev tun ca ca.crt cert myserver.crt key myserver.key dh dh.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt keepalive 10 120 tls-auth ta.key 0 cipher AES-256-CBC # fips algorithm persist-key persist-tun status /var/log/openvpn/openvpn-status.log explicit-exit-notify 1 EOL systemctl start openvpn@server Install client VM: sudo pro attach <token> sudo pro enable fips-updates sudo apt install -y openvpn sudo cp myclient.crt ca.crt ta.key myclient.key /etc/openvpn # these files where copied from the server sudo -i # replace <server_ip> for the server IP in the following command cat > /etc/openvpn/client.conf <<EOL client dev tun proto udp remote <server_ip> 1194 nobind persist-key persist-tun ca ca.crt cert myclient.crt key myclient.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC # fips algorithm EOL systemctl start openvpn@client After installing and starting openvpn both client and server should have a tun0 interface. It should be possible to ping the server interface from the client: ping 10.8.0.1 And from the server ping the client interface: ping 10.8.0.2 [Where problems could occur] - The function used to manually load openssl providers has been changed. This one has an extra parameter that can retain the fallback providers if not zero. This function is in fact called by the previously used function so it should not add extra risks. The legacy and default providers are still loaded anyway so worst case would be that the fallback is lost as before and the package would not work on FIPS systems. + This patch just removes the code that loads the legacy provider when FIPS is enabled as loading this provider prevented the FIPS provider to be used. It does not change anything when FIPS is not in use. [Other Info] This applies only for Jammy as other versions do not have this patch. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2077769 Title: fips-preview break openvpn ciphers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2077769/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
