OpenSSH use of OpenSSL in FIPS Mode

Joshua Hill josh-lists at
Tue Mar 6 10:36:43 EST 2007

On Mon, Mar 05, 2007 at 01:28:20PM -0800, Stan Kladko wrote:
> It is specified that the module provides "all the cryptographic services in 
> the solution". 

Do you not consider key establishment a "cryptographic service"?

It would seem that we are largely speaking past each other in this
instance.  I acknowledge that some services (such as Anti-Virus, as you
mentioned) may be generally considered a "security service", but would
not normally be relevant to FIPS 140.

This is not the matter at hand, however.  The matter at hand is: "Should
OpenSSH be modified to allow it to use the FIPS module within OpenSSL?"

My contention is that this would not be particularly useful action to
take as:
 (1) Key establishment _is_ relevant to FIPS 140.  
 (2) OpenSSH implements key establishment such that the protocol is
 largely outside of OpenSSL.  Yes, OpenSSH uses the underlying crypto
 algorithms provided by OpenSSL, but the key establishment is done
 outside OpenSSL.

As a consequence of (1) and (2), if one were to modify OpenSSH to take
advantage of the validated portion of OpenSSL, one would still not
have a package that would be appropriate for use within the US Federal

In fact, to accomplish this end, one would still have to go through
a separate validation process for the OpenSSH functionality, which
means that it's about the same condition prior to the entire OpenSSL
sub-component validation.


More information about the openssh-unix-dev mailing list