[Test Plan] The bug can be reproduced by just running: openvpn --show-ciphers
The non-patched version returns no algorithms and the patched version should include a list of cipher algorithms like this: AES-128-CBC (128 bit key, 128 bit block) AES-128-CFB (128 bit key, 128 bit block, TLS client/server mode only) AES-128-CFB1 (128 bit key, 128 bit block, TLS client/server mode only) AES-128-CFB8 (128 bit key, 128 bit block, TLS client/server mode only) AES-128-GCM (128 bit key, 128 bit block, TLS client/server mode only) AES-128-OFB (128 bit key, 128 bit block, TLS client/server mode only) ... To make sure no regressions are introduced we can create two VMs and test a VPN connection between them both with and without FIPS enabled. For the non-FIPS case we will use a legacy cipher that is not supported in FIPS. The path to enable this legacy algorithms is the one that breaks FIPS in the first place. Non-fips case: Install server VM: sudo apt install -y openvpn easy-rsa sudo make-cadir /etc/openvpn/easy-rsa sudo -i cd /etc/openvpn/easy-rsa ./easyrsa init-pki ./easyrsa build-ca nopass # accept default value for parameter ./easyrsa gen-req myserver nopass # accept default value for parameter ./easyrsa gen-dh ./easyrsa sign-req server myserver # type yes cp pki/dh.pem pki/ca.crt pki/issued/myserver.crt pki/private/myserver.key /etc/openvpn ./easyrsa gen-req myclient nopass # accept default value for parameter ./easyrsa sign-req client myclient # type yes scp pki/ca.crt pki/issued/myclient.crt pki/private/myclient.key <user>@<client_address> cd /etc/openvpn openvpn --genkey secret ta.key scp ta.key <user>@<client_address> cat > server.conf <<EOL port 1194 proto udp dev tun ca ca.crt cert myserver.crt key myserver.key dh dh.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt keepalive 10 120 tls-auth ta.key 0 cipher DES-CBC # old deprecated algorithm persist-key persist-tun status /var/log/openvpn/openvpn-status.log explicit-exit-notify 1 EOL systemctl start openvpn@server Install client VM: sudo apt install -y openvpn sudo cp myclient.crt ca.crt ta.key myclient.key /etc/openvpn # these files where copied from the server sudo -i # replace <server_ip> for the server IP in the following command cat > /etc/openvpn/client.conf <<EOL client dev tun proto udp remote <server_ip> 1194 nobind persist-key persist-tun ca ca.crt cert myclient.crt key myclient.key remote-cert-tls server tls-auth ta.key 1 cipher DES-CBC # old deprecated algorithm EOL systemctl start openvpn@client After installing and starting openvpn both client and server should have a tun0 interface. It should be possible to ping the server interface from the client: ping 10.8.0.1 And from the server ping the client interface: ping 10.8.0.2 Fips case: For the fips case I removed the tls-auth option as the unpatched openvpn cannot even generate the ta.key file on fips enabled systems. The patched version can generate the key and works with tls-auth enabled. Install server VM: sudo pro attach <token> sudo pro enable fips-updates sudo reboot sudo apt install -y openvpn easy-rsa sudo make-cadir /etc/openvpn/easy-rsa sudo -i cd /etc/openvpn/easy-rsa ./easyrsa init-pki ./easyrsa build-ca nopass # accept default value for parameter ./easyrsa gen-req myserver nopass # accept default value for parameter ./easyrsa gen-dh ./easyrsa sign-req server myserver # type yes cp pki/dh.pem pki/ca.crt pki/issued/myserver.crt pki/private/myserver.key /etc/openvpn ./easyrsa gen-req myclient nopass # accept default value for parameter ./easyrsa sign-req client myclient # type yes scp pki/ca.crt pki/issued/myclient.crt pki/private/myclient.key <user>@<client_address> cd /etc/openvpn cat > server.conf <<EOL port 1194 proto udp dev tun ca ca.crt cert myserver.crt key myserver.key dh dh.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt keepalive 10 120 cipher AES-256-CBC # fips algorithm persist-key persist-tun status /var/log/openvpn/openvpn-status.log explicit-exit-notify 1 EOL systemctl start openvpn@server Install client VM: sudo pro attach <token> sudo pro enable fips-updates sudo reboot sudo apt install -y openvpn sudo cp myclient.crt ca.crt myclient.key /etc/openvpn # these files where copied from the server sudo -i # replace <server_ip> for the server IP in the following command cat > /etc/openvpn/client.conf <<EOL client dev tun proto udp remote <server_ip> 1194 nobind persist-key persist-tun ca ca.crt cert myclient.crt key myclient.key remote-cert-tls server cipher AES-256-CBC # fips algorithm EOL systemctl start openvpn@client After installing and starting openvpn both client and server should have a tun0 interface. It should be possible to ping the server interface from the client: ping 10.8.0.1 And from the server ping the client interface: ping 10.8.0.2 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2097688 Title: [BPO] openvpn/2.6.12 from Noble to Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2097688/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
