Hello, I am using the latest Tinc 1.1 from git (tinc version 1.1pre14-17-g2784a17 (built Jul 14 2016 14:18:09, protocol 17.7) on a CentOS 7.2 64bit with both test servers set it FIPS mode (cat /proc/sys/crypto/fips_enabled to verify or add fips=1 to your grub2 command line ). We need our test servers running in FIPS mode due to a minimum requirement for our project. OpenSSL in CentOS/RHEL has FIPS support compiled in OpenSSL. FIPS will *only* allow high end encryption to be used and fail for one's that aren't FIPS compatible. When having the server set in FIPS mode, I have the following set in tinc.conf # Default Configuration file for. BindToAddress=* 655 Cipher=aes-256-cbc Digest=sha1 Name=myserver2_com AutoConnect=yes Connect=myserver_com And when connecting to my test server, it can't connect with an error message saying "Error while setting key: error:0607B0A3:digital envelope routines:EVP_CipherInit_ex:disabled for fips". It just keeps on failing. Example output: 2016-07-20 16:06:37 tinc.vpn[2920]: Trying to connect to myserver_com (204.200.1.44 port 655) 2016-07-20 16:06:37 tinc.vpn[2920]: Connected to myserver_com (204.200.1.44 port 655) 2016-07-20 16:06:37 tinc.vpn[2920]: Error while setting key: error:0607B0A3:digital envelope routines:EVP_CipherInit_ex:disabled for fips 2016-07-20 16:06:37 tinc.vpn[2920]: Error while processing ID from myserver_com (204.200.1.44 port 655) 2016-07-20 16:06:37 tinc.vpn[2920]: Closing connection with myserver_com (204.200.1.44 port 655) 2016-07-20 16:06:37 tinc.vpn[2920]: Could not set up a meta connection to myserver_com 2016-07-20 16:06:37 tinc.vpn[2920]: Trying to re-establish outgoing connection in 25 seconds I tried changing Ciphers (Cipher=aes, Cipher=aes192, Cipher=aes256) and Digests(Digest=sha256, Digest=sha384, Digest=sha512) and it keeps failing. It seems nothing will work. If I disable FIPS mode on both test servers (fips=0 on my grub2 command line) they connect without any issue but we cannot disable fips mode. Has anyone else gotten Tinc to works on FIPS enabled server or is it possible for someone to add FIPS support to Tinc? Thanks in advance. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160720/5873ebd7/attachment.html>
On Wed, Jul 20, 2016 at 04:38:02PM -0500, Boris Reisig wrote:> I am using the latest Tinc 1.1 from git (tinc version 1.1pre14-17-g2784a17 > (built Jul 14 2016 14:18:09, protocol 17.7) on a CentOS 7.2 64bit with both > test servers set it FIPS mode (cat /proc/sys/crypto/fips_enabled to verify > or add fips=1 to your grub2 command line ). We need our test servers > running in FIPS mode due to a minimum requirement for our project. OpenSSL > in CentOS/RHEL has FIPS support compiled in OpenSSL. FIPS will *only* allow > high end encryption to be used and fail for one's that aren't FIPS > compatible. When having the server set in FIPS mode, I have the following > set in tinc.confUnfortunately, the protocol for tinc 1.0 requires Blowfish to be used during authentication, regardless of the Cipher setting. However, if you only have 1.1 nodes, you should not get this problem. However, I should warn you that the new protocol in tinc 1.1 will work regardless of what OpenSSL supports, because it includes its own copy of Ed25519 and Chacha-Poly1305. But those algorithms are not in FIPS as far as I know. So in short, tinc is not FIPS compatible. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160725/fb5a7898/attachment.sig>