similar to: Is there any plan for OpenSSH to support FIPS?

Hi OpenSSH team, I find a url http://www.gossamer-threads.com/lists/openssh/dev/42808?do=post_view_threaded#42808, which provides unofficial patch for FIPS Capable OpenSSH. I try it and it seems working for some cases. (BTW, I also find that aes128-ctr, aes192-ctr and aes256-ctr ciphers can't work in FIPS mode properly. The fips mode sshd debug info is as following.

Hi, I am happy to (re)send a set of patches for compiling OpenSSH 4.7p1 with FIPS 140-2 OpenSSL. These are based on previously reported patches by Steve Marquess <marquess at ieee.org> and Ben Laurie <ben at algroup.co.uk>, for ver. OpenSSH 3.8. Note that these patches are NOT OFFICIAL, and MAY be used freely by anyone. Issues [partially] handled: SSL FIPS Self test. RC4,

Hello All, Im using OpenSSH 4.2p1 statically linked with OpenSSL 0.9.7i. It looks now that a fips certified OpenSSL is now available at http://www.openssl.org/source/OpenSSL-fips-1.0.tar.gz . I like to know of any patches applicable for OpenSSH versions to make it fips compliant. Is there any idea for OpenSSH core team to make OpenSSH as fips compliant? What amount of work it needs at this

Thanks Roumen. >Lets assume that application use OpenSSL FIPS validated module. FIPS mode is activated in openssl command if environment variable OPENSSL_FIPS is set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode. Did you mean the FIPS patched OpenSSH server and client (such as ssh-keygen) always

Thanks Roumen. I have few more questions below: 1. What version of OpenSSH can the patch be applied to? What branch should I check out the patch? 2. >Impact is not only for source code. Build process has to be updated as well. Red Hat is based on "fipscheck". What build process should be changed? What is fipscheck? 3. My understanding any application (such as OpenSSH) which need

Hi, ssh server: OpenSSH_6.3-FIPS, OpenSSL FIPS Object Module v2.0.5 ssh client: OpenSSH_5.3p1, OpenSSL FIPS Object Module v1.2 We have built and installed FIPS object module (v2.0.5) using http://www.openssl.org/source/openssl-fips-2.0.5.tar.gz Using this FIPS object module, we have build FIPS capable openssl as well. Note that we have "not" used ecp version (with binary curve

Hi, I was trying to run sshd after applying the fips patches mentioned in http://www.gossamer-threads.com/lists/engine?do=post_attachment;postatt_id=1835;list=openssh but for some reason sshd refuses to accept the connection. I guess I do something terribly wrong. Is there a reason that this is bound to fail? These 5.6 patches were the most recent I could find. Are there any fips patches

Thanks for the quick reply Jeremy. We have other FIPS compliant libraries, which check for, and ensure the proper FIPS compliant algorithms are used. Is there a link option to specify this kind of library ? ~ Mike -----Original Message----- From: Jeremy Allison <jra at samba.org> Sent: Tuesday, October 2, 2018 2:08 PM To: Tompkins, Michael <Michael.Tompkins at xerox.com> Cc:

Hello, I am using the latest Tinc 1.1 from git (tinc version 1.1pre14-17-g2784a17 (built Jul 14 2016 14:18:09, protocol 17.7) on a CentOS 7.2 64bit with both test servers set it FIPS mode (cat /proc/sys/crypto/fips_enabled to verify or add fips=1 to your grub2 command line ). We need our test servers running in FIPS mode due to a minimum requirement for our project. OpenSSL in CentOS/RHEL has

http://bugzilla.mindrot.org/show_bug.cgi?id=1197 Summary: Enhancement request to enable fips compatibility mode in OpenSSH Product: Portable OpenSSH Version: 4.3p2 Platform: All URL: http://csrc.nist.gov/cryptval/140-1/140sp/140sp642.pdf http://www.openssl.org/docs/fips/UserGuide-1.0.pdf

Hi experts, Current I am doing FIPS gap analysis for our product, can someone help to have a look my questions? Our product is server running under CentOS 6.x, and according to the upstream (RedHat) document, CentOS can be configured to FIPS mode:

On Tue, 18 Apr 2023, Norbert Pocs wrote: > Hi OpenSSH mailing list, > > I would like to announce the newly introduced patch in Fedora rawhide [0] > for > > FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9 > > version. > > The patch targets OpenSSL support of OpenSSH, specifically the usage of > > old low level API. The new

Dear Damien, On Wed, Apr 19, 2023 at 7:13?AM Damien Miller <djm at mindrot.org> wrote: > > On Tue, 18 Apr 2023, Norbert Pocs wrote: > > > Hi OpenSSH mailing list, > > > > I would like to announce the newly introduced patch in Fedora rawhide [0] > > for > > > > FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9 > >

On Fri, Mar 10, 2023 at 10:27?AM Joel GUITTET <jguittet.opensource at witekio.com> wrote: > We currently work on a project that require SSH server with FIPS and > using OpenSSL v3. Gently: this is meaningless. You probably mean one of the following: 1. The SSH server implementation is required to use only cryptographic algorithms that are FIPS-approved. 2. The SSH server

https://bugzilla.mindrot.org/show_bug.cgi?id=1987 Bug #: 1987 Summary: FIPS signature verification incompatibility with openssl versions > 0.9.8q Classification: Unclassified Product: Portable OpenSSH Version: 5.9p1 Platform: All OS/Version: All Status: NEW Severity: normal

Greetings, As those working in the government sector (US and Canada) already know, compliance with FIPS 140-2 is a significant issue. While there are a few patches out there that add support for FIPS mode to OpenSSH, it is not currently in the mainstream. With the recent validation of the 1.2 version of the OpenSSL FIPS cryptographic object module, is there any chance that support could be added

Michael Selvesteen wrote: >I use OpenSSH 3.9 on HP-UX 11vi. I compiled OpenSSL 0.9.7e by enabling >FIPS. I found in the FIPS document that OpenSSL now contains the >FIPS 140 specific cryptographic API and algorithm implementations >only; i.e. the API for low level algorithms (RSA, AES, 3DES, DSA, >SHA-1). Does it have any functional impacts on SSH. > >Will all the

I guess my Google-fu wasn't up to this one! I have a system running CentOS 5.9 32-bit running in FIPS mode that I would like to update. Unfortunately, it fails when attempting to run "yum update". I've disabled all the repositories except for base and updates and still get the same issue, an error carping about an algorithm forbidden by FIPS. Here's what I see: >

On 4/18/23 05:05, Norbert Pocs wrote: > Hi OpenSSH mailing list, > > I would like to announce the newly introduced patch in Fedora rawhide [0] > for FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9 > version. Why does Fedora care about FIPS 140? To me, this seems like it should be specific to RHEL and maybe CentOS Stream, not Fedora. My understanding

code version referenced: openssh-5.9p1 Hi all, When building openssh with openssl (specifically versions newer than openssl 0.9.8q), there is an issue if FIPS mode is active for openssl. In ssh-rsa.c on line 243 RSA_public_decrypt is called, which is disallowed now in openssl (if in FIPS mode). The library requires appliactions to use the EVP API if running in FIPS mode so it can disallow