The xenial patch has additional code. In version 2.3.10, openvpn uses MD5 for PRF and internally for configuration status verification. FIPS 140-2 permits MD5 for PRF, but not as a hash for internal verification. Subsequent versions of openvpn (2.4) was changed upstream to not use MD5, instead uses SHA256. The attached patch provided by atsec uses SHA1 instead of MD5.
The xenial patch has additional code. In version 2.3.10, openvpn uses MD5 for PRF and internally for configuration status verification. FIPS 140-2 permits MD5 for PRF, but not as a hash for internal verification. Subsequent versions of openvpn (2.4) was changed upstream to not use MD5, instead uses SHA256. The attached patch provided by atsec uses SHA1 instead of MD5.