Re: FIPS compliance efforts in Fedora and RHEL

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue, 18 Apr 2023, Norbert Pocs wrote:

> Hi OpenSSH mailing list,
> 
> I would like to announce the newly introduced patch in Fedora rawhide [0]
> for
> 
> FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9
> 
> version.
> 
> The patch targets OpenSSL support of OpenSSH, specifically the usage of
> 
> old low level API. The new OpenSSL version 3.0 introduces a FIPS
> 
> module (going through FIPS 140-2 validation and to be FIPS 140-3 validated)
> 
> which can be used with the new EVP API to state OpenSSH being FIPS
> 
> compliant (using OpenSSL). The problem is, the old API does not use the FIPS
> 
> module, therefore the change is needed for the new API.

While I'm sure this is good for RHEL/rawhide users who care about FIPS,
Portable OpenSSH won't be able to merge this. We explictly aim to support
LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the
OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that
I'd describe as "best effort").

If this changes we can look again.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux