[Bug 1807439] Re: openvpn crashes when run with fips openssl

[Andreas Hasenack]

Thanks for all this testing!

Could you please convert the debdiffs into actual merge proposals
against openvpn? It's easier to review.

For example, the dep3 header in the xenial patch:
+Description: Use FIPS algos in openvpn
+Bug-Ubuntu:
+Forwarded: not-needed
+Author: Stephan Mueller <stephan.mueller at atsec.com>
+---
+OpenVPN uses MD5 for (1) internal configuration status verification
+and (2) TLS PRF.  MD5 is not allowed in FIPS 140-2. Sending MD5 request
+to FIPS mode openssl causes it to abort or enter error mode.
+OpenVPN needs to use SHA instead of MD5 for internal verification and
+send EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag to openssl when using MD5 for
+PRF to indicate the exception.

a) Bug-Ubuntu should point at this bug url
b) Is there an upstream bug report? If yes, use "Bug: <url>" for it
c) The long description should be under the "Description:" header, indented by one space for each line
d) is there a link to the origin of the patch, like a commit?
e) in xenial the patch switched the internal usage of md5 to sha1, but later versions seem to be using sha256, any idea why not use sha256 in xenial as well, to follow upstream?

Feel free to ping me on irc for assistance with creating the MP. Basically you either:
- install the git-ubuntu snap, and run "git ubuntu clone openvpn". You will get some default branches you can branch off: ubuntu/devel is disco, ubuntu/xenial-devel is xenial, and so on.
- or just go to https://code.launchpad.net/ubuntu/+source/openvpn and clone/branch manually what you need

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1807439

Title:
  openvpn crashes when run with fips openssl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions