Hi,
James Ralston wrote:
On Fri, Mar 10, 2023 at 10:27 AM Joel GUITTET
<jguittet.opensource@xxxxxxxxxxx> wrote:
[SNIP]
Patching OpenSSH for this looks to be a massive job. Is it something
that is considered on your side?
No patching of OpenSSH is required.
Reality is different .
1.) Some FIPS validated modules limit API use.
Program code must use only allowed API for cryptographic operations.
2.) Some PIPS validated modules do not include FIPS allowed algorithms.
Program code could inform cryptographic library that "custom" algorithm is allowed n FIPS mode.
3) User friendly program does not require manual configurations.
Program must detect that cryptographic module runs in FIPS mode and do not offer or to refuse use of non-FIPS allowed algorithms.
Optionally program may force cryptographic module to run in FIPS mode.
For protocol all above is part or PKIX-SSH.
Regards,
Roumen Petrov
--
Advanced secure shell implementation with X.509 certificate support
http://roumenpetrov.info/secsh/
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev