Hi, Jakub Jelen wrote on Mon, Mar 19, 2018 at 02:17:14PM +0100: > Using FIPS mode is more complicated than changing a configuration > option or using the OpenSSL library in some way. There are several > patches adding this functionality, but none of them is incorporated > upstream. In OpenBSD and the sub-projects like LibreSSL and OpenSSH, we are convinced that providing FIPS support would actually *lower* the overall security standards of the projects - even for users that keep it disabled, because ifdefs, options and the like always make code less readable and cause an additional risk of introducing bugs. For that reason, it is very unlikely that *any* FIPS-related patches might ever get merged. They will most likely be summarily rejected, except when they have beneficial effects unrelated to FIPS. The lowered security standard that is caused by FIPS ought to remain restricted to those people who want it, and those people should also pay with their own money for having their security standard lowered in that way. In a nutshell, if you want FIPS, use money and buy it somewhere, but not from OpenBSD/LibreSSL/OpenSSH directly. On the other hand, if you want the best possible security standards, stay away from FIPS. Yours, Ingo _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev