Project

General

Profile

Actions
Copy link

action #155920

closed

[security][15-SP6] test fails in openvpn_server due to unsupported cipher

Added by emiler 2 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
pstivanin
Category:
Bugs in existing tests
Target version:
-
Start date:
2024-02-23
Due date:
% Done:

100%

Estimated time:
8.00 h
Difficulty:
Tags:
fips, fail

Description

openQA test in scenario sle-15-SP6-Online-x86_64-fips_tests_crypt_openvpn_server@64bit fails in
openvpn_server

The OpenVPN service fails to start:

× openvpn@static.service - OpenVPN tunneling daemon instance using /etc/openvpn/static.conf
     Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; preset: disabled)
     Active: failed (Result: exit-code) since Mon 2024-02-19 13:50:25 EST; 12ms ago
   Duration: 3ms
    Process: 2924 ExecStart=/usr/sbin/openvpn --daemon openvpn@static --writepid /run/openvpn/static.pid --cd /etc/openvpn/ --config static.conf (code=exited, status=1/FAILURE)
   Main PID: 2924 (code=exited, status=1/FAILURE)
     Status: "Pre-connection initialization successful"
        CPU: 8ms

Feb 19 13:50:25 server systemd[1]: Starting OpenVPN tunneling daemon instance using /etc/openvpn/static.conf...
Feb 19 13:50:25 server openvpn@static[2924]: DEPRECATED OPTION: The option --secret is deprecated.
Feb 19 13:50:25 server openvpn@static[2924]: DEPRECATION: No tls-client or tls-server option in configuration detected. OpenVPN 2.7 will remove the functionality to run a VPN without TLS. See the examples section in the manual page for examples of a similar quick setup with peer-fingerprint.
Feb 19 13:50:25 server openvpn@static[2924]: OpenVPN 2.6.8 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD]
Feb 19 13:50:25 server openvpn@static[2924]: library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
Feb 19 13:50:25 server systemd[1]: Started OpenVPN tunneling daemon instance using /etc/openvpn/static.conf.
Feb 19 13:50:25 server openvpn@static[2924]: Cipher BF-CBC not supported
Feb 19 13:50:25 server openvpn@static[2924]: Exiting due to fatal error
Feb 19 13:50:25 server systemd[1]: openvpn@static.service: Main process exited, code=exited, status=1/FAILURE
Feb 19 13:50:25 server systemd[1]: openvpn@static.service: Failed with result 'exit-code'.

It seems like new versions (perhaps OpenSSL 3 migration?) do not support the BF-CBC cipher. We might need to update our test data.

Actions
Copy link
 #1

Updated by emiler 2 months ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by pstivanin 2 months ago

  • Subject changed from [security][SP6] test fails in openvpn_server due to unsupported cipher to [security][15-SP6] test fails in openvpn_server due to unsupported cipher
  • Status changed from New to In Progress
  • Assignee set to pstivanin
Actions
Copy link
 #3

Updated by pstivanin 2 months ago

  • % Done changed from 0 to 30
  • Estimated time set to 4.00 h
Actions
Copy link
 #4

Updated by pstivanin 2 months ago · Edited

  • % Done changed from 30 to 50

I've found some misconfigured tests (openvpn included), I'll fix them together with this task.

Actions
Copy link
 #5

Updated by tjyrinki_suse 2 months ago

I'm checking whether this is expected.

Actions
Copy link
 #6

Updated by pstivanin 2 months ago

settings AES-256-CBC as cipher fixes the issue

Actions
Copy link
 #7

Updated by pstivanin 2 months ago

  • % Done changed from 50 to 70
  • Estimated time changed from 4.00 h to 8.00 h
Actions
Copy link
 #8

Updated by pstivanin about 2 months ago

  • % Done changed from 70 to 100

openvpn on FIPS only works on 15-SP6. why it's explained here: https://bugzilla.suse.com/show_bug.cgi?id=1221104

Actions
Copy link

Also available in: Atom PDF