Opened 8 years ago
Last modified 16 months ago
#725 closed Feature Wish
Consider to add FIPS support in OpenVPN — at Initial Version
| Reported by: | David Sommerseth | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | release 2.6 |
| Component: | Crypto | Version: | OpenVPN git master branch (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | FIPS |
| Cc: |
Description
There is a patch lingering in Red Hat Bugzilla #1369260 which adds FIPS support to OpenVPN.
This is an interesting feature for many who need to apply policies where FIPS is a hard requirement.
The problem with this patch is that it replaces MD5 hashing a few places with SHA1, which will break compatibility with non-FIPS enabled clients.
I think this patchset could be matured by adding a --fips-mode option. Then look into how to signal to the remote side if FIPS is supported or not.
If the server side is configured with --fips-mode, it should reject clients which do not support FIPS. However a client does not need to explicit enable --fips-mode, it should switch to that automatically if the server signals FIPS mode being enabled.
If the client is configured with --fips-mode, it enforces FIPS mode. So if the client does not support FIPS, it shold close the connection.
The question is if the SSL libraries can be switched to FIPS mode after the initial connection handshake, and how to actually do this signalling
