FIPS compliance efforts in Fedora and RHEL
Damien Miller
djm at mindrot.org
Wed Apr 19 15:11:37 AEST 2023
On Tue, 18 Apr 2023, Norbert Pocs wrote:
> Hi OpenSSH mailing list,
>
> I would like to announce the newly introduced patch in Fedora rawhide [0]
> for
>
> FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9
>
> version.
>
> The patch targets OpenSSL support of OpenSSH, specifically the usage of
>
> old low level API. The new OpenSSL version 3.0 introduces a FIPS
>
> module (going through FIPS 140-2 validation and to be FIPS 140-3 validated)
>
> which can be used with the new EVP API to state OpenSSH being FIPS
>
> compliant (using OpenSSL). The problem is, the old API does not use the FIPS
>
> module, therefore the change is needed for the new API.
While I'm sure this is good for RHEL/rawhide users who care about FIPS,
Portable OpenSSH won't be able to merge this. We explictly aim to support
LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the
OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that
I'd describe as "best effort").
If this changes we can look again.
-d
More information about the openssh-unix-dev
mailing list