openssh unix dev - Oct 2013 - Older ssh clients can't connect to sshd (6.3p1) built using FIPS object module 2.0.5

Hi,

 

ssh server: OpenSSH_6.3-FIPS, OpenSSL FIPS Object Module v2.0.5

ssh client: OpenSSH_5.3p1, OpenSSL FIPS Object Module v1.2



We have built and installed FIPS object module (v2.0.5) using
http://www.openssl.org/source/openssl-fips-2.0.5.tar.gz 

Using this FIPS object module, we have build FIPS capable openssl as well.
Note that we have "not" used ecp version (with binary curve ECC
omitted) of
FIPS object module.

 

We have applied a FIPS patch similar to
http://www.openssl.com/export/openssh/openssh-6.0p1.fips-revised.patch
<http://www.openssl.com/export/openssh/openssh-6.0p1.fips-revised.patch%20to
%20openssh%20suite%20v6.3p1>  to openssh suite v6.3p1 and successfully
generated openssh suite binaries. PFA our draft of FIPS patch for openssh:
openssh-6.3p1-fips-patch (Not reviewed by OpenSSL Software Foundation).

 

sshd built this way has connection issues with older ssh clients - even in
FIPS off mode. PFA error logs (ssh_error.log)

 

ssh client just blocks at the following log:
>debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
 

openssh client v6.3.p1 can successfully connect to this server - but some of
older clients can't.

 

Any pointers? 

 

Thanks,

Manish Jagtap

 

 

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openssh-6.3p1-fips-patch.txt
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20131031/20199067/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ssh_error.log.txt
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20131031/20199067/attachment-0003.txt>