** Description changed: [Impact] When a tunnel is started on a FIPS enabled server the process fails and the server shows this error: OpenSSL: error:0308010C:digital envelope routines::unsupported Message hash algorithm 'MD5' not found This happens because MD5 is not allowed on openssl 3 and openvpn is using it [Test Plan] This bug is fixed together with LP bug #2077769. This bug does not occur unless the patch for that bug is applied first as otherwise it fails before reaching this point. The test plan for that bug also covers this issue as it tests a functioning tunnel. [Where problems could occur] - I'm backporting two upstream patches that change the key derivation mechanism and the TLS PRF function to avoid the use of MD5. This patches affect fips and non fips enabled systems alike and might break in some unexpected cases. + I'm backporting two upstream patches that change the key derivation mechanism and the TLS PRF function to avoid the use of MD5. This patches affect fips and non fips enabled systems alike and might break in some unexpected cases. As the changes only affect random number generation, for non-fips systems the patched and unpatched versions on openvpn can connect to each other without problems. [Other Info] This only affects Jammy because it uses openvpn 2.5 an openssl 3.0. The patch for Jammy is included in patch for LP bug #2077769. These are the backported upstream patches: https://github.com/OpenVPN/openvpn/commit/6dc09d0 https://github.com/OpenVPN/openvpn/commit/06f6cf3
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091575 Title: Message hash algorithm 'MD5' not found on FIPS system To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2091575/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
