Re: using sshd in fips mode

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Thanks All so much for your valuable guidence. understood the complexity.


Regards,

On Mon, Mar 19, 2018 at 9:51 PM, Ingo Schwarze <schwarze@xxxxxxx> wrote:

> Hi,
>
> Jakub Jelen wrote on Mon, Mar 19, 2018 at 02:17:14PM +0100:
>
> > Using FIPS mode is more complicated than changing a configuration
> > option or using the OpenSSL library in some way. There are several
> > patches adding this functionality, but none of them is incorporated
> > upstream.
>
> In OpenBSD and the sub-projects like LibreSSL and OpenSSH, we are
> convinced that providing FIPS support would actually *lower* the
> overall security standards of the projects - even for users that
> keep it disabled, because ifdefs, options and the like always make
> code less readable and cause an additional risk of introducing bugs.
>
> For that reason, it is very unlikely that *any* FIPS-related patches
> might ever get merged.  They will most likely be summarily rejected,
> except when they have beneficial effects unrelated to FIPS.
>
> The lowered security standard that is caused by FIPS ought to remain
> restricted to those people who want it, and those people should
> also pay with their own money for having their security standard
> lowered in that way.  In a nutshell, if you want FIPS, use money
> and buy it somewhere, but not from OpenBSD/LibreSSL/OpenSSH directly.
> On the other hand, if you want the best possible security standards,
> stay away from FIPS.
>
> Yours,
>   Ingo
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux