[Bug 3603] ssh clients can't communicate with server with default cipher when fips is enabled at server end

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Aug 21 18:49:23 AEST 2023


--- Comment #20 from Dmitry Belyavskiy <dbelyavs at redhat.com> ---
I see several problems with the proposed patch. It resolves the case
when the run-time and build-time OpenSSL version differs in
capabilities. The problem is it relies on legacy OpenSSL API that
contradicts the initial request (FIPS compatibility). Also EC curve
detection uses the API OpenSSL considers legacy (and so not
FIPS-compliant). And from the FIPS perspective, all NIST curves
supported by OpenSSH are allowed.

You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list