Ning Liu (niliu2)
2015-Oct-23 04:12 UTC
[CentOS] OpenSSL and OpenSSH on CentOS (FIPS enabled)
Hi experts, Current I am doing FIPS gap analysis for our product, can someone help to have a look my questions? Our product is server running under CentOS 6.x, and according to the upstream (RedHat) document, CentOS can be configured to FIPS mode: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html And according to the CentOS forum, if we enabled FIPS mode on CentOS, then OpenSSL will also be in FIPS mode https://www.centos.org/forums/viewtopic.php?t=9078 Questions: (1) Is that true for OpenSSL ? (2) How about OpenSSH, since we are using SSH for administration, but there is not too much document mentioning OpenSSH Vs. FIPS. But looks like REDHAT already takes care of OpenSSH: https://www.redhat.com/en/about/press-releases/red-hat-completes-fips-1402-certifications Can I assume that OpenSSH is in FIPS mode when CentOS is in FIPS mode ? Regards, Ning Liu
Gordon Messmer
2015-Oct-24 15:51 UTC
[CentOS] OpenSSL and OpenSSH on CentOS (FIPS enabled)
On 10/22/2015 09:12 PM, Ning Liu (niliu2) wrote:> (1) Is that true for OpenSSL ?http://stackoverflow.com/questions/18616573/how-to-check-fips-140-2-support-in-openssl But, having said that, you should note that FIPS is a certification that applies to specific products. You can enable "FIPS mode" but no CentOS systems are FIPS certified. If you require certification, you must use a Red Hat product.> (2) How about OpenSSH, since we are using SSH for administration, but there is not too much document mentioning OpenSSH Vs. FIPS.Look at the document you linked to, again. It describes specifics with regard to OpenSSH. Verify that sshd is configured according to the documentation, and follow the advice when generating host and user keys.
Seemingly Similar Threads
- OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?
- OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?
- [Bug 3603] New: ssh clients can't communicate with server with default cipher when fips is enabled at server end
- OpenSSH FIPS support
- Tinc and FIPS mode fails to connect.