FIPS compliance efforts in Fedora and RHEL

Dmitry Belyavskiy dbelyavs at redhat.com
Wed Apr 19 17:44:49 AEST 2023


Dear Damien,

On Wed, Apr 19, 2023 at 7:13 AM Damien Miller <djm at mindrot.org> wrote:
>
> On Tue, 18 Apr 2023, Norbert Pocs wrote:
>
> > Hi OpenSSH mailing list,
> >
> > I would like to announce the newly introduced patch in Fedora rawhide [0]
> > for
> >
> > FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9
> >
> > version.
> >
> > The patch targets OpenSSL support of OpenSSH, specifically the usage of
> >
> > old low level API. The new OpenSSL version 3.0 introduces a FIPS
> >
> > module (going through FIPS 140-2 validation and to be FIPS 140-3 validated)
> >
> > which can be used with the new EVP API to state OpenSSH being FIPS
> >
> > compliant (using OpenSSL). The problem is, the old API does not use the FIPS
> >
> > module, therefore the change is needed for the new API.
>
> While I'm sure this is good for RHEL/rawhide users who care about FIPS,
> Portable OpenSSH won't be able to merge this. We explictly aim to support
> LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the
> OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that
> I'd describe as "best effort").
>
> If this changes we can look again.

Yes, we understand and respect your choice.
Would it be acceptable in any form being wrapped in necessary #ifdefs ?

-- 
Dmitry Belyavskiy



More information about the openssh-unix-dev mailing list