From 336ec975bcd4dd8e2dfa66ae11757d240d606d904f9760d89d1cf6d2f6628282 Mon Sep 17 00:00:00 2001 From: Nirmoy Das Date: Wed, 14 Sep 2016 14:11:18 +0000 Subject: [PATCH] Accepting request 425721 from home:AndreasStieger:branches:network:vpn - Add an example for a FIPS 140-2 approved cipher configuration to the sample configuration files. Fixes bsc#988522 adding openvpn-fips140-AES-cipher-in-config-template.patch - remove gpg-offline signature verification, now a source service OBS-URL: https://build.opensuse.org/request/show/425721 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=107 --- ...ips140-AES-cipher-in-config-template.patch | 35 +++++++++++++++++++ openvpn.changes | 8 +++++ openvpn.spec | 4 +-- 3 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 openvpn-fips140-AES-cipher-in-config-template.patch diff --git a/openvpn-fips140-AES-cipher-in-config-template.patch b/openvpn-fips140-AES-cipher-in-config-template.patch new file mode 100644 index 0000000..c8eb5d7 --- /dev/null +++ b/openvpn-fips140-AES-cipher-in-config-template.patch @@ -0,0 +1,35 @@ +From: Andreas Stieger +Date: Thu, 08 Sep 2016 15:23:12 +0200 +Subject: Add an example for a FIPS 140-2 approved cipher configuration to the sample configuration file +References: bsc#988522 https://github.com/OpenVPN/openvpn/commit/bde1b90da0db2d68d13d274102986f0ca7096c00 +Upstream: no + +The 2.3 default is blowfish which does not work in FIPS mode. +This change was done in 2.4, and 2.4 will negotiate AES-256-GCM in TLS mode. + +Index: openvpn-2.3.8/sample/sample-config-files/client.conf +=================================================================== +--- openvpn-2.3.8.orig/sample/sample-config-files/client.conf 2015-07-17 07:43:32.000000000 +0200 ++++ openvpn-2.3.8/sample/sample-config-files/client.conf 2016-09-08 15:12:32.650248879 +0200 +@@ -111,6 +111,8 @@ remote-cert-tls server + # If the cipher option is used on the server + # then you must also specify it here. + ;cipher x ++# Use a FIPS 140-2 approved cipher in FIPS mode ++;cipher AES-256-CBC # AES-256 + + # Enable compression on the VPN link. + # Don't enable this unless it is also +Index: openvpn-2.3.8/sample/sample-config-files/server.conf +=================================================================== +--- openvpn-2.3.8.orig/sample/sample-config-files/server.conf 2015-07-17 07:43:32.000000000 +0200 ++++ openvpn-2.3.8/sample/sample-config-files/server.conf 2016-09-08 15:11:55.869874892 +0200 +@@ -249,6 +249,8 @@ keepalive 10 120 + ;cipher BF-CBC # Blowfish (default) + ;cipher AES-128-CBC # AES + ;cipher DES-EDE3-CBC # Triple-DES ++# Use a FIPS 140-2 approved cipher in FIPS mode ++;cipher AES-256-CBC # AES-256 + + # Enable compression on the VPN link. + # If you enable it here, you must also diff --git a/openvpn.changes b/openvpn.changes index b6397c9..e1ed810 100644 --- a/openvpn.changes +++ b/openvpn.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Sep 8 13:26:16 UTC 2016 - astieger@suse.com + +- Add an example for a FIPS 140-2 approved cipher configuration to + the sample configuration files. Fixes bsc#988522 + adding openvpn-fips140-AES-cipher-in-config-template.patch +- remove gpg-offline signature verification, now a source service + ------------------------------------------------------------------- Tue May 10 16:16:02 UTC 2016 - idonmez@suse.com diff --git a/openvpn.spec b/openvpn.spec index a68e33f..fc143cd 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -52,8 +52,8 @@ Source11: rc%{name} Patch1: %{name}-2.3-plugin-man.dif Patch5: %{name}-2.3.0-man-dot.diff Patch6: %{name}-fips140-2.3.2.patch +Patch7: openvpn-fips140-AES-cipher-in-config-template.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildRequires: gpg-offline BuildRequires: iproute2 BuildRequires: lzo-devel BuildRequires: openssl-devel @@ -133,11 +133,11 @@ Requires: %{name} = %{version} This package provides the header file to build external plugins. %prep -%gpg_verify %{S:1} %setup -q -n %{name}-%{version} %patch1 -p0 %patch5 -p0 %patch6 -p1 +%patch7 -p1 sed -e "s|\" __DATE__|$(date '+%b %e %Y' -r version.m4)\"|g" \ -i src/openvpn/options.c