Manish Jagtap
2013-Oct-31 08:19 UTC
Older ssh clients can't connect to sshd (6.3p1) built using FIPS object module 2.0.5
Hi, ssh server: OpenSSH_6.3-FIPS, OpenSSL FIPS Object Module v2.0.5 ssh client: OpenSSH_5.3p1, OpenSSL FIPS Object Module v1.2 We have built and installed FIPS object module (v2.0.5) using http://www.openssl.org/source/openssl-fips-2.0.5.tar.gz Using this FIPS object module, we have build FIPS capable openssl as well. Note that we have "not" used ecp version (with binary curve ECC omitted) of FIPS object module. We have applied a FIPS patch similar to http://www.openssl.com/export/openssh/openssh-6.0p1.fips-revised.patch <http://www.openssl.com/export/openssh/openssh-6.0p1.fips-revised.patch%20to %20openssh%20suite%20v6.3p1> to openssh suite v6.3p1 and successfully generated openssh suite binaries. PFA our draft of FIPS patch for openssh: openssh-6.3p1-fips-patch (Not reviewed by OpenSSL Software Foundation). sshd built this way has connection issues with older ssh clients - even in FIPS off mode. PFA error logs (ssh_error.log) ssh client just blocks at the following log:>debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUPopenssh client v6.3.p1 can successfully connect to this server - but some of older clients can't. Any pointers? Thanks, Manish Jagtap -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-6.3p1-fips-patch.txt URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20131031/20199067/attachment-0002.txt> -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ssh_error.log.txt URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20131031/20199067/attachment-0003.txt>