From: Andreas Stieger <astieger@suse.com>
Date: Thu, 08 Sep 2016 15:23:12 +0200
Subject: Add an example for a FIPS 140-2 approved cipher configuration to the sample configuration file
References: bsc#988522 https://github.com/OpenVPN/openvpn/commit/bde1b90da0db2d68d13d274102986f0ca7096c00
Upstream: no

The 2.3 default is blowfish which does not work in FIPS mode.
This change was done in 2.4, and 2.4 will negotiate AES-256-GCM in TLS mode.

Index: openvpn-2.3.8/sample/sample-config-files/client.conf
===================================================================
--- openvpn-2.3.8.orig/sample/sample-config-files/client.conf	2015-07-17 07:43:32.000000000 +0200
+++ openvpn-2.3.8/sample/sample-config-files/client.conf	2016-09-08 15:12:32.650248879 +0200
@@ -111,6 +111,8 @@ remote-cert-tls server
 # If the cipher option is used on the server
 # then you must also specify it here.
 ;cipher x
+# Use a FIPS 140-2 approved cipher in FIPS mode
+;cipher AES-256-CBC   # AES-256
 
 # Enable compression on the VPN link.
 # Don't enable this unless it is also
Index: openvpn-2.3.8/sample/sample-config-files/server.conf
===================================================================
--- openvpn-2.3.8.orig/sample/sample-config-files/server.conf	2015-07-17 07:43:32.000000000 +0200
+++ openvpn-2.3.8/sample/sample-config-files/server.conf	2016-09-08 15:11:55.869874892 +0200
@@ -249,6 +249,8 @@ keepalive 10 120
 ;cipher BF-CBC        # Blowfish (default)
 ;cipher AES-128-CBC   # AES
 ;cipher DES-EDE3-CBC  # Triple-DES
+# Use a FIPS 140-2 approved cipher in FIPS mode
+;cipher AES-256-CBC   # AES-256
 
 # Enable compression on the VPN link.
 # If you enable it here, you must also