Re: using sshd in fips mode

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi,

Jakub Jelen wrote on Mon, Mar 19, 2018 at 02:17:14PM +0100:

> Using FIPS mode is more complicated than changing a configuration
> option or using the OpenSSL library in some way. There are several
> patches adding this functionality, but none of them is incorporated
> upstream.

In OpenBSD and the sub-projects like LibreSSL and OpenSSH, we are
convinced that providing FIPS support would actually *lower* the
overall security standards of the projects - even for users that
keep it disabled, because ifdefs, options and the like always make
code less readable and cause an additional risk of introducing bugs.

For that reason, it is very unlikely that *any* FIPS-related patches
might ever get merged.  They will most likely be summarily rejected,
except when they have beneficial effects unrelated to FIPS.

The lowered security standard that is caused by FIPS ought to remain
restricted to those people who want it, and those people should
also pay with their own money for having their security standard
lowered in that way.  In a nutshell, if you want FIPS, use money
and buy it somewhere, but not from OpenBSD/LibreSSL/OpenSSH directly.
On the other hand, if you want the best possible security standards,
stay away from FIPS.

Yours,
  Ingo
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux