CentOS - Oct 2015 - OpenSSL and OpenSSH on CentOS (FIPS enabled)

Hi experts,

Current I am doing FIPS gap analysis for our product, can someone help to have a
look my questions?

Our product is server running under CentOS 6.x, and according to the upstream
(RedHat) document, CentOS can be configured to FIPS mode:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html

And according to the CentOS forum, if we enabled FIPS mode on CentOS, then
OpenSSL will also be in FIPS mode
https://www.centos.org/forums/viewtopic.php?t=9078

Questions:

(1) Is that true for OpenSSL ?

(2) How about OpenSSH, since we are using SSH for administration, but there is
not too much document mentioning OpenSSH Vs. FIPS. But looks like REDHAT already
takes care of OpenSSH:
https://www.redhat.com/en/about/press-releases/red-hat-completes-fips-1402-certifications
Can I assume that OpenSSH is in FIPS mode when CentOS is in FIPS mode ?


Regards,
Ning Liu

On 10/22/2015 09:12 PM, Ning Liu (niliu2) wrote:
> (1) Is that true for OpenSSL ?
http://stackoverflow.com/questions/18616573/how-to-check-fips-140-2-support-in-openssl

But, having said that, you should note that FIPS is a certification that 
applies to specific products.  You can enable "FIPS mode" but no
CentOS
systems are FIPS certified.  If you require certification, you must use 
a Red Hat product.
> (2) How about OpenSSH, since we are using SSH for administration, but there
is not too much document mentioning OpenSSH Vs. FIPS.
Look at the document you linked to, again.  It describes specifics with 
regard to OpenSSH.  Verify that sshd is configured according to the 
documentation, and follow the advice when generating host and user keys.