FIPS compliance efforts in Fedora and RHEL
openssh at roumenpetrov.info
Thu Apr 20 04:55:37 AEST 2023
Dmitry Belyavskiy wrote:
> I think it's doable if libressl has 1.1.1-style EVP API. It is
> possible to assign RSA/EC/DH to EVP_PKEY object and use EVP API
> afterwards in 1.1.1 and use the OSSL_PARAM_BLD for 3.0
1.1.1 API !??!?!?!
PKIX-SSH uses EVP_PKEY and work-fine with even with ancient OpenSSL 0.9.7.
EVP_PKEY is core functionality and so OpenSSL forks compatible with 1.0.2 API support such functionality as well!!!!!!!
Note EVP_PKEY is SSLea , i.e. pre OpenSSL functionality!
All outside EVP functionality was deprecated in OpenSSL 1.0.0 API.
So who cares for 1.1.1 API?
One day, perhaps in 2187 year, OpenBSD implementation will stop to use API deprecated in 1.0.0.
Advanced secure shell implementation with X.509 certificate support
More information about the openssh-unix-dev