action #155920
Updated by emiler 3 months ago
openQA test in scenario sle-15-SP6-Online-x86_64-fips_tests_crypt_openvpn_server@64bit fails in [openvpn_server](https://openqa.suse.de/tests/13548439/modules/openvpn_server/steps/53) The OpenVPN service fails to start: ``` × openvpn@static.service - OpenVPN tunneling daemon instance using /etc/openvpn/static.conf Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; preset: disabled) Active: failed (Result: exit-code) since Mon 2024-02-19 13:50:25 EST; 12ms ago Duration: 3ms Process: 2924 ExecStart=/usr/sbin/openvpn --daemon openvpn@static --writepid /run/openvpn/static.pid --cd /etc/openvpn/ --config static.conf (code=exited, status=1/FAILURE) Main PID: 2924 (code=exited, status=1/FAILURE) Status: "Pre-connection initialization successful" CPU: 8ms Feb 19 13:50:25 server systemd[1]: Starting OpenVPN tunneling daemon instance using /etc/openvpn/static.conf... Feb 19 13:50:25 server openvpn@static[2924]: DEPRECATED OPTION: The option --secret is deprecated. Feb 19 13:50:25 server openvpn@static[2924]: DEPRECATION: No tls-client or tls-server option in configuration detected. OpenVPN 2.7 will remove the functionality to run a VPN without TLS. See the examples section in the manual page for examples of a similar quick setup with peer-fingerprint. Feb 19 13:50:25 server openvpn@static[2924]: OpenVPN 2.6.8 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] Feb 19 13:50:25 server openvpn@static[2924]: library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10 Feb 19 13:50:25 server systemd[1]: Started OpenVPN tunneling daemon instance using /etc/openvpn/static.conf. Feb 19 13:50:25 server openvpn@static[2924]: Cipher BF-CBC not supported Feb 19 13:50:25 server openvpn@static[2924]: Exiting due to fatal error Feb 19 13:50:25 server systemd[1]: openvpn@static.service: Main process exited, code=exited, status=1/FAILURE Feb 19 13:50:25 server systemd[1]: openvpn@static.service: Failed with result 'exit-code'. ``` It seems like new versions (perhaps OpenSSL 3 migration?) do not support the BF-CBC F-CBC cipher. We might need to update our test data.