FIPS compliance efforts in Fedora and RHEL

Demi Marie Obenour demiobenour at
Wed Apr 19 07:21:44 AEST 2023

On 4/18/23 05:05, Norbert Pocs wrote:
> Hi OpenSSH mailing list,
> I would like to announce the newly introduced patch in Fedora rawhide [0]
> for FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9
> version.

Why does Fedora care about FIPS 140?  To me, this seems like it
should be specific to RHEL and maybe CentOS Stream, not Fedora.
My understanding is that Fedora will never be FIPS 140 complaint
anyway so there is no point in even trying, not least because
the FIPS validated version will generally be _less_ secure than
the non-FIPS version.  To give just one example, OpenSSH defaults
to a post-quantum key exchange that FIPS does not allow.
Demi Marie Obenour (she/her/hers)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xB288B55FFF9C22C1.asc
Type: application/pgp-keys
Size: 4885 bytes
Desc: OpenPGP public key
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the openssh-unix-dev mailing list