Bug 1019449

Summary: ECDHE now supported in Fedora openssl, please add to openvpn
Product: [Fedora] Fedora Reporter: Dimitris <dimitris.on.linux>
Component: openvpnAssignee: Steven Pritchard <steve>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: bill-bugzilla.redhat.com, davids, gwync, huzaifas, lemenkov, steve
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-17 22:51:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1019390    

Description Dimitris 2013-10-15 18:01:18 UTC 
Per bug 319901, elliptic curve crypto is now available in fedora's openssl libs.  openvpn needs to be rebuilt with EC* options enabled for TLS cipher suites.
Comment 1 David Sommerseth 2013-10-17 22:51:20 UTC 
A lot more than a rebuild of OpenVPN is needed.  To properly support EC, OpenVPN needs to be enhanced with ECDH (now only DH is available).  This requires upstream OpenVPN to get patches written and applied.  There are some people looking into this from time to time, but until OpenVPN has the needed patches, EC isn't really functional at all.

Closing this Fedora bug, as this needs to be taken upstream with the OpenVPN community directly.
Comment 2 Bill McGonigle 2013-10-18 19:06:55 UTC 
yep, here's the upstream ticket and forum thread:

  https://community.openvpn.net/openvpn/ticket/307
  https://forums.openvpn.net/topic8404-30.html

I'd love to have ECDH on my OpenVPN connections, and it looks like patches exist but they haven't been properly asked for, implemented, or tested (yet).
Comment 3 Peter Lemenkov 2013-10-21 11:50:05 UTC 
Please, don't unblock parent ticket when child ticked is resolved. We'd better leave it blocked (for reference, for statistical purposes, etc).
Comment 4 David Sommerseth 2013-10-22 10:35:39 UTC 
(In reply to Peter Lemenkov from comment #3)
> Please, don't unblock parent ticket when child ticked is resolved. We'd
> better leave it blocked (for reference, for statistical purposes, etc).

Fair enough, I just felt the OpenVPN bug isn't really related to Fedora enabling elliptic curves.

For OpenVPN's part, that needs to be resolved upstream (which it isn't yet).  IMO, this bug is completely irrelevant to Fedora as this issue should only tracked upstream with OpenVPN.

And to my knowledge, there's no ETA for when OpenVPN will enable EC.