** Description changed: - When a tunnel is started on a FIPS enabled server the process fails and - the server shows this error: + [Impact] + When a tunnel is started on a FIPS enabled server the process fails and the server shows this error: OpenSSL: error:0308010C:digital envelope routines::unsupported Message hash algorithm 'MD5' not found This happens because MD5 is not allowed on openssl 3 and openvpn is using it + + [Test Plan] + This bug is fixed together with LP bug #2077769. This bug does not occur unless the patch for that bug is applied first as otherwise it fails before reaching this point. The test plan for that bug also covers this issue as it tests a functioning tunnel. + + [Where problems could occur] + I'm backporting two upstream patches that change the key derivation mechanism and the TLS PRF function to avoid the use of MD5. This patches affect fips and non fips enabled systems alike and might break in some unexpected cases. + + [Other Info] + This only affects Jammy because it uses openvpn 2.5 an openssl 3.0. + The patch for Jammy is included in patch for LP bug #2077769. + These are the backported upstream patches: + + https://github.com/OpenVPN/openvpn/commit/6dc09d0 + https://github.com/OpenVPN/openvpn/commit/06f6cf3
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091575 Title: Message hash algorithm 'MD5' not found on FIPS system To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2091575/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
