FIPS compliance efforts in Fedora and RHEL

Roumen Petrov openssh at
Thu Apr 20 04:55:37 AEST 2023

Dmitry Belyavskiy wrote:
> [SNIP]
> I think it's doable if libressl has 1.1.1-style EVP API. It is
> possible to assign RSA/EC/DH to EVP_PKEY object and use EVP API
> afterwards in 1.1.1 and use the OSSL_PARAM_BLD for 3.0
1.1.1 API  !??!?!?!
PKIX-SSH uses EVP_PKEY and work-fine with even with ancient OpenSSL 0.9.7.

EVP_PKEY is core functionality and so OpenSSL forks compatible with 1.0.2 API support such functionality as well!!!!!!!
Note EVP_PKEY is SSLea , i.e. pre OpenSSL functionality!

All outside EVP functionality was deprecated in OpenSSL 1.0.0 API.

So who cares for 1.1.1 API?
One day, perhaps in 2187 year, OpenBSD implementation will stop to use API deprecated in 1.0.0.

Roumen Petrov

Advanced secure shell implementation with X.509 certificate support

More information about the openssh-unix-dev mailing list