openvpn/openvpn-fips140-AES-cipher-in-config-template.patch

From: Andreas Stieger <astieger@suse.com>
Date: Thu, 08 Sep 2016 15:23:12 +0200
Subject: Add an example for a FIPS 140-2 approved cipher configuration to the sample configuration file
References: bsc#988522 https://github.com/OpenVPN/openvpn/commit/bde1b90da0db2d68d13d274102986f0ca7096c00
Upstream: no

The 2.3 default is blowfish which does not work in FIPS mode.
This change was done in 2.4, and 2.4 will negotiate AES-256-GCM in TLS mode.

Index: openvpn-2.3.8/sample/sample-config-files/client.conf
===================================================================
--- openvpn-2.3.8.orig/sample/sample-config-files/client.conf	2015-07-17 07:43:32.000000000 +0200
+++ openvpn-2.3.8/sample/sample-config-files/client.conf	2016-09-08 15:12:32.650248879 +0200
@@ -111,6 +111,8 @@ remote-cert-tls server
 # If the cipher option is used on the server
 # then you must also specify it here.
 ;cipher x
+# Use a FIPS 140-2 approved cipher in FIPS mode
+;cipher AES-256-CBC   # AES-256
 
 # Enable compression on the VPN link.
 # Don't enable this unless it is also
Index: openvpn-2.3.8/sample/sample-config-files/server.conf
===================================================================
--- openvpn-2.3.8.orig/sample/sample-config-files/server.conf	2015-07-17 07:43:32.000000000 +0200
+++ openvpn-2.3.8/sample/sample-config-files/server.conf	2016-09-08 15:11:55.869874892 +0200
@@ -249,6 +249,8 @@ keepalive 10 120
 ;cipher BF-CBC        # Blowfish (default)
 ;cipher AES-128-CBC   # AES
 ;cipher DES-EDE3-CBC  # Triple-DES
+# Use a FIPS 140-2 approved cipher in FIPS mode
+;cipher AES-256-CBC   # AES-256
 
 # Enable compression on the VPN link.
 # If you enable it here, you must also
Accepting request 425721 from home:AndreasStieger:branches:network:vpn - Add an example for a FIPS 140-2 approved cipher configuration to the sample configuration files. Fixes bsc#988522 adding openvpn-fips140-AES-cipher-in-config-template.patch - remove gpg-offline signature verification, now a source service OBS-URL: https://build.opensuse.org/request/show/425721 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=107 2016-09-14 16:11:18 +02:00			`From: Andreas Stieger <astieger@suse.com>`
			`Date: Thu, 08 Sep 2016 15:23:12 +0200`
			`Subject: Add an example for a FIPS 140-2 approved cipher configuration to the sample configuration file`
			`References: bsc#988522 https://github.com/OpenVPN/openvpn/commit/bde1b90da0db2d68d13d274102986f0ca7096c00`
			`Upstream: no`

			`The 2.3 default is blowfish which does not work in FIPS mode.`
			`This change was done in 2.4, and 2.4 will negotiate AES-256-GCM in TLS mode.`

			`Index: openvpn-2.3.8/sample/sample-config-files/client.conf`
			`===================================================================`
			`--- openvpn-2.3.8.orig/sample/sample-config-files/client.conf 2015-07-17 07:43:32.000000000 +0200`
			`+++ openvpn-2.3.8/sample/sample-config-files/client.conf 2016-09-08 15:12:32.650248879 +0200`
			`@@ -111,6 +111,8 @@ remote-cert-tls server`
			`# If the cipher option is used on the server`
			`# then you must also specify it here.`
			`;cipher x`
			`+# Use a FIPS 140-2 approved cipher in FIPS mode`
			`+;cipher AES-256-CBC # AES-256`

			`# Enable compression on the VPN link.`
			`# Don't enable this unless it is also`
			`Index: openvpn-2.3.8/sample/sample-config-files/server.conf`
			`===================================================================`
			`--- openvpn-2.3.8.orig/sample/sample-config-files/server.conf 2015-07-17 07:43:32.000000000 +0200`
			`+++ openvpn-2.3.8/sample/sample-config-files/server.conf 2016-09-08 15:11:55.869874892 +0200`
			`@@ -249,6 +249,8 @@ keepalive 10 120`
			`;cipher BF-CBC # Blowfish (default)`
			`;cipher AES-128-CBC # AES`
			`;cipher DES-EDE3-CBC # Triple-DES`
			`+# Use a FIPS 140-2 approved cipher in FIPS mode`
			`+;cipher AES-256-CBC # AES-256`

			`# Enable compression on the VPN link.`
			`# If you enable it here, you must also`