FIPS compliance efforts in Fedora and RHEL

Damien Miller djm at
Wed Apr 19 15:11:37 AEST 2023

On Tue, 18 Apr 2023, Norbert Pocs wrote:

> Hi OpenSSH mailing list,
> I would like to announce the newly introduced patch in Fedora rawhide [0]
> for
> FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9
> version.
> The patch targets OpenSSL support of OpenSSH, specifically the usage of
> old low level API. The new OpenSSL version 3.0 introduces a FIPS
> module (going through FIPS 140-2 validation and to be FIPS 140-3 validated)
> which can be used with the new EVP API to state OpenSSH being FIPS
> compliant (using OpenSSL). The problem is, the old API does not use the FIPS
> module, therefore the change is needed for the new API.

While I'm sure this is good for RHEL/rawhide users who care about FIPS,
Portable OpenSSH won't be able to merge this. We explictly aim to support
LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the
OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that
I'd describe as "best effort").

If this changes we can look again.


More information about the openssh-unix-dev mailing list