Alternate Open Source Crypto Solution in OpenSSH

Kaleb Himes kaleb at wolfssl.com
Tue Jan 5 03:38:03 AEDT 2016


Hello OpenSSH Developers and Community,



wolfSSL (formerly known as CyaSSL) is a dual licensed SSL/TLS
implementation specializing in the embedded space. As we have grown we are
being used in larger systems due to our reduced resource consumption on a
per-session basis. Many have found that their servers are able to service
more connections by replacing OpenSSL with wolfSSL.

Our engineers have recently completed a port to OpenSSH. This port rips
OpenSSL out of OpenSSH and inserts wolfSSL in its place.



So why would you care about OpenSSL or wolfSSL, what does it really matter
anyway?



1.     wolfSSL offers a pluggable Federal Information Processing Standard
(FIPS 140-2) certified crypto library.

a.     Read more about FIPS in wolfSSL
<https://wolfssl.com/wolfSSL/fips.html>.

b.     See our FIPS certification.
<http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2425>



2.     OpenSSL has suffered over the past few years with too many
contributions from a variety of sources. The lack of testing and
verification of each submission to OpenSSL has resulted in numerous
security vulnerabilities.

3.     We are very selective about who can submit code to our libraries and
each commit is tested extensively to ensure the best security is always
provided for our customers.

4.     We would like to provide consumers of OpenSSH with an alternate
crypto solution.



We have actively been testing our port on Linux and Mac OS X.

If this is something that interests you, we would like to formally extend
an invitation to test our port on the OS you use, and provide
feedback/suggestions on your results.



Thank you for your time.

Details on getting a copy of our port, the wolfSSL libraries, and feedback
channels can be found below.




OpenSSH port Location: https://github.com/kaleb-himes/openssh-portable.git



wolfSSL Location: https://github.com/wolfSSL/wolfssl.git

                              or download from our website:


https://wolfssl.com/wolfSSL/download/downloadForm.php



>From your terminal:

git clone https://github.com/kaleb-himes/openssh-portable.git
git clone https://github.com/kaleb-himes/wolfssl.git

cd wolfssl
./autogen.sh
./configure --prefix=/usr/local/lib --enable-openssh && make && sudo make
install

cd ..
cd openssh-portable
autoreconf
./configure --with-wolfssl=/usr/local/lib --with-pam && make && make tests

Our Jenkins server is now using this port to actively checkout changes from
github and is also running all slave nodes using SSH with this port. This
provides us with some real-world testing in addition to the unit tests.

Feedback can be sent to: info at wolfssl.com or support at wolfssl.com



Additional Feedback Avenue: http://www.wolfssl.com/forums/



Sources:

"Portable OpenSSH." www.openssh.com. Accessed December 31, 2015.
http://www.openssh.com/portable.html.



Kaleb Himes

www.wolfssl.com

kaleb at wolfssl.com

Skype: kaleb.himes

+1 406 381 9556


More information about the openssh-unix-dev mailing list