Tinc and FIPS mode fails to connect.
Guus Sliepen
guus at tinc-vpn.org
Mon Jul 25 18:37:20 CEST 2016
On Wed, Jul 20, 2016 at 04:38:02PM -0500, Boris Reisig wrote:
> I am using the latest Tinc 1.1 from git (tinc version 1.1pre14-17-g2784a17
> (built Jul 14 2016 14:18:09, protocol 17.7) on a CentOS 7.2 64bit with both
> test servers set it FIPS mode (cat /proc/sys/crypto/fips_enabled to verify
> or add fips=1 to your grub2 command line ). We need our test servers
> running in FIPS mode due to a minimum requirement for our project. OpenSSL
> in CentOS/RHEL has FIPS support compiled in OpenSSL. FIPS will *only* allow
> high end encryption to be used and fail for one's that aren't FIPS
> compatible. When having the server set in FIPS mode, I have the following
> set in tinc.conf
Unfortunately, the protocol for tinc 1.0 requires Blowfish to be used
during authentication, regardless of the Cipher setting. However, if you
only have 1.1 nodes, you should not get this problem.
However, I should warn you that the new protocol in tinc 1.1 will work
regardless of what OpenSSL supports, because it includes its own copy of
Ed25519 and Chacha-Poly1305. But those algorithms are not in FIPS as far
as I know.
So in short, tinc is not FIPS compatible.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160725/fb5a7898/attachment.sig>
More information about the tinc
mailing list