<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Hello,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I am using the latest Tinc 1.1 from git (tinc version 1.1pre14-17-g2784a17 (built Jul 14 2016 14:18:09, protocol 17.7) on a CentOS 7.2 64bit with both test servers set it FIPS mode (cat /proc/sys/crypto/fips_enabled to verify or add fips=1 to your grub2 command line ). We need our test servers running in FIPS mode due to a minimum requirement for our project. OpenSSL in CentOS/RHEL has FIPS support compiled in OpenSSL. FIPS will *<b>only</b>* allow high end encryption to be used and fail for one’s that aren’t FIPS compatible. When having the server set in FIPS mode, I have the following set in tinc.conf<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal># Default Configuration file for.<o:p></o:p></p><p class=MsoNormal>BindToAddress=* 655<o:p></o:p></p><p class=MsoNormal>Cipher=aes-256-cbc<o:p></o:p></p><p class=MsoNormal>Digest=sha1<o:p></o:p></p><p class=MsoNormal>Name=myserver2_com<o:p></o:p></p><p class=MsoNormal>AutoConnect=yes<o:p></o:p></p><p class=MsoNormal>Connect=myserver_com<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>And when connecting to my test server, it can’t connect with an error message saying “Error while setting key: error:0607B0A3:digital envelope routines:EVP_CipherInit_ex:disabled for fips”. It just keeps on failing.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Example output:<o:p></o:p></p><p class=MsoNormal>2016-07-20 16:06:37 tinc.vpn[2920]: Trying to connect to myserver_com (204.200.1.44 port 655)<o:p></o:p></p><p class=MsoNormal>2016-07-20 16:06:37 tinc.vpn[2920]: Connected to myserver_com (204.200.1.44 port 655)<o:p></o:p></p><p class=MsoNormal>2016-07-20 16:06:37 tinc.vpn[2920]: Error while setting key: error:0607B0A3:digital envelope routines:EVP_CipherInit_ex:disabled for fips<o:p></o:p></p><p class=MsoNormal>2016-07-20 16:06:37 tinc.vpn[2920]: Error while processing ID from myserver_com (204.200.1.44 port 655)<o:p></o:p></p><p class=MsoNormal>2016-07-20 16:06:37 tinc.vpn[2920]: Closing connection with myserver_com (204.200.1.44 port 655)<o:p></o:p></p><p class=MsoNormal>2016-07-20 16:06:37 tinc.vpn[2920]: Could not set up a meta connection to myserver_com<o:p></o:p></p><p class=MsoNormal>2016-07-20 16:06:37 tinc.vpn[2920]: Trying to re-establish outgoing connection in 25 seconds<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I tried changing Ciphers (Cipher=aes, Cipher=aes192, Cipher=aes256) and Digests(Digest=sha256, Digest=sha384, Digest=sha512) and it keeps failing. It seems nothing will work.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>If I disable FIPS mode on both test servers (fips=0 on my grub2 command line) they connect without any issue but we cannot disable fips mode.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Has anyone else gotten Tinc to works on FIPS enabled server or is it possible for someone to add FIPS support to Tinc? Thanks in advance.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div>
<br /><br />
<hr style='border:none; color:#909090; background-color:#B0B0B0; height: 1px; width: 99%;' />
<table style='border-collapse:collapse;border:none;'>
<tr>
<td style='border:none;padding:0px 15px 0px 8px'>
<a href="https://www.avast.com/antivirus">
<img border=0 src="http://static.avast.com/emails/avast-mail-stamp.png" alt="Avast logo" />
</a>
</td>
<td>
<p style='color:#3d4d5a; font-family:"Calibri","Verdana","Arial","Helvetica"; font-size:12pt;'>
This email has been checked for viruses by Avast antivirus software.
<br><a href="https://www.avast.com/antivirus">www.avast.com</a>
</p>
</td>
</tr>
</table>
<br />
</body></html>