Tinc and FIPS mode fails to connect.

Boris Reisig boris at emergeknowledge.com
Wed Jul 20 23:38:02 CEST 2016 

Hello,

 

I am using the latest Tinc 1.1 from git (tinc version 1.1pre14-17-g2784a17
(built Jul 14 2016 14:18:09, protocol 17.7) on a CentOS 7.2 64bit with both
test servers set it FIPS mode (cat /proc/sys/crypto/fips_enabled to verify
or add fips=1 to your grub2 command line ).  We need our test servers
running in FIPS mode due to a minimum requirement for our project. OpenSSL
in CentOS/RHEL has FIPS support compiled in OpenSSL. FIPS will *only* allow
high end encryption to be used and fail for one's that aren't FIPS
compatible. When having the server set in FIPS mode,  I have the following
set in tinc.conf

 

# Default Configuration file for.

BindToAddress=* 655

Cipher=aes-256-cbc

Digest=sha1

Name=myserver2_com

AutoConnect=yes

Connect=myserver_com

 

And when connecting to my test server, it can't connect with an error
message saying "Error while setting key: error:0607B0A3:digital envelope
routines:EVP_CipherInit_ex:disabled for fips". It just keeps on failing.

 

Example output:

2016-07-20 16:06:37 tinc.vpn[2920]: Trying to connect to myserver_com
(204.200.1.44 port 655)

2016-07-20 16:06:37 tinc.vpn[2920]: Connected to myserver_com (204.200.1.44
port 655)

2016-07-20 16:06:37 tinc.vpn[2920]: Error while setting key:
error:0607B0A3:digital envelope routines:EVP_CipherInit_ex:disabled for fips

2016-07-20 16:06:37 tinc.vpn[2920]: Error while processing ID from
myserver_com (204.200.1.44 port 655)

2016-07-20 16:06:37 tinc.vpn[2920]: Closing connection with myserver_com
(204.200.1.44 port 655)

2016-07-20 16:06:37 tinc.vpn[2920]: Could not set up a meta connection to
myserver_com

2016-07-20 16:06:37 tinc.vpn[2920]: Trying to re-establish outgoing
connection in 25 seconds

 

I tried changing Ciphers (Cipher=aes, Cipher=aes192, Cipher=aes256) and
Digests(Digest=sha256, Digest=sha384, Digest=sha512) and it keeps failing.
It seems nothing will work.

 

If I disable FIPS mode on both test servers (fips=0 on my grub2 command
line) they connect without any issue but we cannot disable fips mode.

 

Has anyone else gotten Tinc to works on FIPS enabled server or is it
possible for someone to add FIPS support to Tinc? Thanks in advance.

 



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160720/5873ebd7/attachment.html>

More information about the tinc mailing list