From: David Sommerseth <dav...@openvpn.net>
On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
module enabled by default. This revealed some incompatible code with
the added DCO support.
Signed-off-by: David Sommerseth <dav...@openvpn.net>
---
src/openvpn/crypto.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 5626e2b6..0415f59d 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -34,6 +34,7 @@
#include "error.h"
#include "integer.h"
#include "platform.h"
+#include "openssl_compat.h"
#include "memdbg.h"
@@ -1704,6 +1705,8 @@ print_cipher(const char *ciphername)
printf(", TLS client/server mode only");
}
#ifdef OPENSSL_FIPS
+ evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);
+
if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
{
printf(", disabled by FIPS mode");
--
2.27.0
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
