On Tue, 18 Apr 2023, Norbert Pocs wrote: > Hi OpenSSH mailing list, > > I would like to announce the newly introduced patch in Fedora rawhide [0] > for > > FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9 > > version. > > The patch targets OpenSSL support of OpenSSH, specifically the usage of > > old low level API. The new OpenSSL version 3.0 introduces a FIPS > > module (going through FIPS 140-2 validation and to be FIPS 140-3 validated) > > which can be used with the new EVP API to state OpenSSH being FIPS > > compliant (using OpenSSL). The problem is, the old API does not use the FIPS > > module, therefore the change is needed for the new API. While I'm sure this is good for RHEL/rawhide users who care about FIPS, Portable OpenSSH won't be able to merge this. We explictly aim to support LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that I'd describe as "best effort"). If this changes we can look again. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
