Call for testing: OpenSSH-5.7
Scott Neugroschl
scott_n at xypro.com
Wed Jan 19 10:24:54 EST 2011
> -----Original Message-----
> From: Steve Marquess
>
> Yes, the modifications in total are ugly because FIPS 140-2 imposes a
> number of restrictions. For one thing many types of cryptography are
> disallowed in the FIPS mode of operation. The "FIPS capable" OpenSSL
> library (OpenSSL built with the FIPS module to present one seamless
> external API) will automagically fail on attempts to use disallowed
> crypto, but not gracefully. Much of the complexity of the patches
> comes
> from graceful exception handling.
>
One way to deal with this is to modify the list of allowed algorithms
when reading the ssh/sshd config file.
More information about the openssh-unix-dev
mailing list