New version of patch for jammy
** Patch added: "lp2077769_v2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2077769/+attachment/5821595/+files/lp2077769_v2.debdiff
** Changed in: openvpn (Ubuntu Jammy)
Status: Incomplete => In Progress
** Description changed:
[Impact]
When fips-preview is enabled in a Jammy server running openvpn --show-ciphers
returns no algorithms. This is caused by openvpn not loading the FIPS OpenSSL
provider. This actually works fine upstream but was broken by a previous ubuntu
patch that re-enables some algorithms that where moved to the legacy provider
by OpenSSL 3.0.
[Test Plan]
The bug can be reproduced by just running:
openvpn --show-ciphers
The non-patched version returns no algorithms and the patched version
should include a list of cipher algorithms like this:
AES-128-CBC (128 bit key, 128 bit block)
AES-128-CFB (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB1 (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB8 (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-GCM (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-OFB (128 bit key, 128 bit block, TLS client/server mode only)
...
[Where problems could occur]
- Just the function used to manually load providers has been changed. This one
has an extra parameter that can retain the fallback providers if nor zero. This
function is in fact called by the previously used function so it should not add
extra risks.
+ Just the function used to manually load providers has been changed. This one
has an extra parameter that can retain the fallback providers if not zero. This
function is in fact called by the previously used function so it should not add
extra risks.
[Other Info]
This applies only for Jammy as other versions do not have this patch.
** Description changed:
[Impact]
When fips-preview is enabled in a Jammy server running openvpn --show-ciphers
returns no algorithms. This is caused by openvpn not loading the FIPS OpenSSL
provider. This actually works fine upstream but was broken by a previous ubuntu
patch that re-enables some algorithms that where moved to the legacy provider
by OpenSSL 3.0.
[Test Plan]
The bug can be reproduced by just running:
openvpn --show-ciphers
The non-patched version returns no algorithms and the patched version
should include a list of cipher algorithms like this:
AES-128-CBC (128 bit key, 128 bit block)
AES-128-CFB (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB1 (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB8 (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-GCM (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-OFB (128 bit key, 128 bit block, TLS client/server mode only)
...
[Where problems could occur]
- Just the function used to manually load providers has been changed. This one
has an extra parameter that can retain the fallback providers if not zero. This
function is in fact called by the previously used function so it should not add
extra risks.
+ Just the function used to manually load openssl providers has been changed.
This one has an extra parameter that can retain the fallback providers if not
zero. This function is in fact called by the previously used function so it
should not add extra risks.
[Other Info]
This applies only for Jammy as other versions do not have this patch.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2077769
Title:
fips-preview break openvpn ciphers
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2077769/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
