using sshd in fips mode

Sudarshan Soma sudarshan12s at
Tue Mar 20 22:23:28 AEDT 2018

Thanks All so much for your valuable guidence. understood the complexity.


On Mon, Mar 19, 2018 at 9:51 PM, Ingo Schwarze <schwarze at> wrote:

> Hi,
> Jakub Jelen wrote on Mon, Mar 19, 2018 at 02:17:14PM +0100:
> > Using FIPS mode is more complicated than changing a configuration
> > option or using the OpenSSL library in some way. There are several
> > patches adding this functionality, but none of them is incorporated
> > upstream.
> In OpenBSD and the sub-projects like LibreSSL and OpenSSH, we are
> convinced that providing FIPS support would actually *lower* the
> overall security standards of the projects - even for users that
> keep it disabled, because ifdefs, options and the like always make
> code less readable and cause an additional risk of introducing bugs.
> For that reason, it is very unlikely that *any* FIPS-related patches
> might ever get merged.  They will most likely be summarily rejected,
> except when they have beneficial effects unrelated to FIPS.
> The lowered security standard that is caused by FIPS ought to remain
> restricted to those people who want it, and those people should
> also pay with their own money for having their security standard
> lowered in that way.  In a nutshell, if you want FIPS, use money
> and buy it somewhere, but not from OpenBSD/LibreSSL/OpenSSH directly.
> On the other hand, if you want the best possible security standards,
> stay away from FIPS.
> Yours,
>   Ingo
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list