Accepting request 427634 from network:vpn

1 OBS-URL: https://build.opensuse.org/request/show/427634 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=70
2016-09-16 09:01:41 +00:00 · 2016-09-16 09:01:41 +00:00 · a9965a4ad6
commit a9965a4ad6
parent 02b1e24f46 336ec975bc
3 changed files with 45 additions and 2 deletions
--- a/openvpn-fips140-AES-cipher-in-config-template.patch
+++ b/openvpn-fips140-AES-cipher-in-config-template.patch
@ -0,0 +1,35 @@
+From: Andreas Stieger <astieger@suse.com>
+Date: Thu, 08 Sep 2016 15:23:12 +0200
+Subject: Add an example for a FIPS 140-2 approved cipher configuration to the sample configuration file
+References: bsc#988522 https://github.com/OpenVPN/openvpn/commit/bde1b90da0db2d68d13d274102986f0ca7096c00
+Upstream: no
+
+The 2.3 default is blowfish which does not work in FIPS mode.
+This change was done in 2.4, and 2.4 will negotiate AES-256-GCM in TLS mode.
+
+Index: openvpn-2.3.8/sample/sample-config-files/client.conf
+===================================================================
+--- openvpn-2.3.8.orig/sample/sample-config-files/client.conf	2015-07-17 07:43:32.000000000 +0200
+++ openvpn-2.3.8/sample/sample-config-files/client.conf	2016-09-08 15:12:32.650248879 +0200
+@@ -111,6 +111,8 @@ remote-cert-tls server
+ # If the cipher option is used on the server
+ # then you must also specify it here.
+ ;cipher x
+# Use a FIPS 140-2 approved cipher in FIPS mode
+;cipher AES-256-CBC   # AES-256
+ 
+ # Enable compression on the VPN link.
+ # Don't enable this unless it is also
+Index: openvpn-2.3.8/sample/sample-config-files/server.conf
+===================================================================
+--- openvpn-2.3.8.orig/sample/sample-config-files/server.conf	2015-07-17 07:43:32.000000000 +0200
+++ openvpn-2.3.8/sample/sample-config-files/server.conf	2016-09-08 15:11:55.869874892 +0200
+@@ -249,6 +249,8 @@ keepalive 10 120
+ ;cipher BF-CBC        # Blowfish (default)
+ ;cipher AES-128-CBC   # AES
+ ;cipher DES-EDE3-CBC  # Triple-DES
+# Use a FIPS 140-2 approved cipher in FIPS mode
+;cipher AES-256-CBC   # AES-256
+ 
+ # Enable compression on the VPN link.
+ # If you enable it here, you must also
--- a/openvpn.changes
+++ b/openvpn.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Sep  8 13:26:16 UTC 2016 - astieger@suse.com
+
+- Add an example for a FIPS 140-2 approved cipher configuration to
+  the sample configuration files. Fixes bsc#988522
+  adding openvpn-fips140-AES-cipher-in-config-template.patch
+- remove gpg-offline signature verification, now a source service
+
 -------------------------------------------------------------------
 Tue May 10 16:16:02 UTC 2016 - idonmez@suse.com

--- a/openvpn.spec
+++ b/openvpn.spec
@ -52,8 +52,8 @@ Source11:       rc%{name}
 Patch1:         %{name}-2.3-plugin-man.dif
 Patch5:         %{name}-2.3.0-man-dot.diff
 Patch6:         %{name}-fips140-2.3.2.patch
+Patch7:         openvpn-fips140-AES-cipher-in-config-template.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-BuildRequires:  gpg-offline
 BuildRequires:  iproute2
 BuildRequires:  lzo-devel
 BuildRequires:  openssl-devel
@ -133,11 +133,11 @@ Requires:       %{name} = %{version}
 This package provides the header file to build external plugins.

 %prep
-%gpg_verify %{S:1}
 %setup -q -n %{name}-%{version}
 %patch1 -p0
 %patch5 -p0
 %patch6 -p1
+%patch7 -p1

 sed -e "s|\" __DATE__|$(date '+%b %e %Y' -r version.m4)\"|g" \
    -i src/openvpn/options.c