Thanks All so much for your valuable guidence. understood the complexity. Regards, On Mon, Mar 19, 2018 at 9:51 PM, Ingo Schwarze <schwarze@xxxxxxx> wrote: > Hi, > > Jakub Jelen wrote on Mon, Mar 19, 2018 at 02:17:14PM +0100: > > > Using FIPS mode is more complicated than changing a configuration > > option or using the OpenSSL library in some way. There are several > > patches adding this functionality, but none of them is incorporated > > upstream. > > In OpenBSD and the sub-projects like LibreSSL and OpenSSH, we are > convinced that providing FIPS support would actually *lower* the > overall security standards of the projects - even for users that > keep it disabled, because ifdefs, options and the like always make > code less readable and cause an additional risk of introducing bugs. > > For that reason, it is very unlikely that *any* FIPS-related patches > might ever get merged. They will most likely be summarily rejected, > except when they have beneficial effects unrelated to FIPS. > > The lowered security standard that is caused by FIPS ought to remain > restricted to those people who want it, and those people should > also pay with their own money for having their security standard > lowered in that way. In a nutshell, if you want FIPS, use money > and buy it somewhere, but not from OpenBSD/LibreSSL/OpenSSH directly. > On the other hand, if you want the best possible security standards, > stay away from FIPS. > > Yours, > Ingo > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev