Actions
action #155920
closed[security][15-SP6] test fails in openvpn_server due to unsupported cipher
Start date:
2024-02-23
Due date:
% Done:
100%
Estimated time:
8.00 h
Difficulty:
Description
openQA test in scenario sle-15-SP6-Online-x86_64-fips_tests_crypt_openvpn_server@64bit fails in
openvpn_server
The OpenVPN service fails to start:
× openvpn@static.service - OpenVPN tunneling daemon instance using /etc/openvpn/static.conf
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; preset: disabled)
Active: failed (Result: exit-code) since Mon 2024-02-19 13:50:25 EST; 12ms ago
Duration: 3ms
Process: 2924 ExecStart=/usr/sbin/openvpn --daemon openvpn@static --writepid /run/openvpn/static.pid --cd /etc/openvpn/ --config static.conf (code=exited, status=1/FAILURE)
Main PID: 2924 (code=exited, status=1/FAILURE)
Status: "Pre-connection initialization successful"
CPU: 8ms
Feb 19 13:50:25 server systemd[1]: Starting OpenVPN tunneling daemon instance using /etc/openvpn/static.conf...
Feb 19 13:50:25 server openvpn@static[2924]: DEPRECATED OPTION: The option --secret is deprecated.
Feb 19 13:50:25 server openvpn@static[2924]: DEPRECATION: No tls-client or tls-server option in configuration detected. OpenVPN 2.7 will remove the functionality to run a VPN without TLS. See the examples section in the manual page for examples of a similar quick setup with peer-fingerprint.
Feb 19 13:50:25 server openvpn@static[2924]: OpenVPN 2.6.8 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD]
Feb 19 13:50:25 server openvpn@static[2924]: library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
Feb 19 13:50:25 server systemd[1]: Started OpenVPN tunneling daemon instance using /etc/openvpn/static.conf.
Feb 19 13:50:25 server openvpn@static[2924]: Cipher BF-CBC not supported
Feb 19 13:50:25 server openvpn@static[2924]: Exiting due to fatal error
Feb 19 13:50:25 server systemd[1]: openvpn@static.service: Main process exited, code=exited, status=1/FAILURE
Feb 19 13:50:25 server systemd[1]: openvpn@static.service: Failed with result 'exit-code'.
It seems like new versions (perhaps OpenSSL 3 migration?) do not support the BF-CBC cipher. We might need to update our test data.
Updated by pstivanin about 2 months ago
- % Done changed from 70 to 100
openvpn on FIPS only works on 15-SP6. why it's explained here: https://bugzilla.suse.com/show_bug.cgi?id=1221104
Updated by pstivanin about 2 months ago
- Status changed from In Progress to Resolved
I've unscheduled openvpn_fips on <15-sp6
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/18825
https://gitlab.suse.de/qe-security/osd-sle15-security/-/merge_requests/224
Actions