Hi OpenSSH team,
I find a url
http://www.gossamer-threads.com/lists/openssh/dev/42808?do=post_view_threaded#42808,
which provides unofficial patch for FIPS Capable OpenSSH. I try it and it seems
working for some cases.
(BTW, I also find that aes128-ctr, aes192-ctr and aes256-ctr ciphers can't
work in FIPS mode properly.
The fips mode sshd debug info is as following.
***************************
debug2: set_newkeys: mode 1
cipher_init: EVP_CipherInit: set key failed for aes128-ctr
debug1: do_cleanup
??
debug3: PAM: sshpam_thread_cleanup entering
debug1: audit event euid 0 user (unknown user) event 12 (CONNECTION_ABANDON)
***************************
I don't know why. Are these three ciphers FIPS forbidden?)
??
As you know, FIPS 1.1.2 module has been officially released for some period and
FIPS Capable OpenSSL may become one of the important main branches of OpenSSL in
the near future. So if openssh can provide built-in FIPS Capable functionality,
it will be highly appreciated.
Would you please take this suggestion into consideration for future openssh
release?
Thank you!
_________________________________________________________________
?????????????MSN????TA?????
http://im.live.cn/emoticons/?ID=18
Hi OpenSSH team, I find a url http://www.gossamer-threads.com/lists/openssh/dev/42808?do=post_view_threaded#42808, which provides unofficial patch for FIPS Capable OpenSSH. I try it and it seems working for some cases. (BTW, I also find that aes128-ctr, aes192-ctr and aes256-ctr ciphers can't work in FIPS mode properly. The fips mode sshd debug info is as following. *************************** debug2: set_newkeys: mode 1 cipher_init: EVP_CipherInit: set key failed for aes128-ctr debug1: do_cleanup debug3: PAM: sshpam_thread_cleanup entering debug1: audit event euid 0 user (unknown user) event 12 (CONNECTION_ABANDON) *************************** I don't know why. Are these three ciphers FIPS forbidden?) As you know, FIPS 1.1.2 module has been officially released for some period and FIPS Capable OpenSSL may become one of the important main branches of OpenSSL in the near future. So if openssh can provide built-in FIPS Capable functionality, it will be highly appreciated. Would you please take this suggestion into consideration for future openssh release? Thank you! _________________________________________________________________ ?????????live mail???????? http://get.live.cn/product/mail.html
Hi,
As far as I know, aes*-ctr is different from aes*-cbc and is NOT openssl FIPS
supported.
However, I guess it would be possible/easy to workaround/fix this, since there
is no standard for what is SSH FIPS compliant.
If you're interested, try running in FIPS enabled and disabled modes and see
where it breaks.
This is an educated guess :)
See also http://rfc.net/rfc4344.html
Oren
P.S.
EVP_CipherInit is probably defined in libcrypto.a:fipscanister.o
-----Original Message-----
From: openssh-unix-dev-bounces+oren=forescout.com at mindrot.org
[mailto:openssh-unix-dev-bounces+oren=forescout.com at mindrot.org] On Behalf Of
???
Sent: ? 12 ???? 2008 10:28
To: openssh-unix-dev at mindrot.org
Subject: FIPS mode OpenSSH suggestion
Hi OpenSSH team,
I find a url
http://www.gossamer-threads.com/lists/openssh/dev/42808?do=post_view_threaded#42808,
which provides unofficial patch for FIPS Capable OpenSSH. I try it and it seems
working for some cases.
(BTW, I also find that aes128-ctr, aes192-ctr and aes256-ctr ciphers can't
work in FIPS mode properly.
The fips mode sshd debug info is as following.
***************************
debug2: set_newkeys: mode 1
cipher_init: EVP_CipherInit: set key failed for aes128-ctr
debug1: do_cleanup
??
debug3: PAM: sshpam_thread_cleanup entering
debug1: audit event euid 0 user (unknown user) event 12 (CONNECTION_ABANDON)
***************************
I don't know why. Are these three ciphers FIPS forbidden?)
??
As you know, FIPS 1.1.2 module has been officially released for some period and
FIPS Capable OpenSSL may become one of the important main branches of OpenSSL in
the near future. So if openssh can provide built-in FIPS Capable functionality,
it will be highly appreciated.
Would you please take this suggestion into consideration for future openssh
release?
Thank you!
_________________________________________________________________
?????????????MSN????TA?????
http://im.live.cn/emoticons/?ID=18
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev