Dear Damien, On Wed, Apr 19, 2023 at 7:13 AM Damien Miller <djm@xxxxxxxxxxx> wrote: > > On Tue, 18 Apr 2023, Norbert Pocs wrote: > > > Hi OpenSSH mailing list, > > > > I would like to announce the newly introduced patch in Fedora rawhide [0] > > for > > > > FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9 > > > > version. > > > > The patch targets OpenSSL support of OpenSSH, specifically the usage of > > > > old low level API. The new OpenSSL version 3.0 introduces a FIPS > > > > module (going through FIPS 140-2 validation and to be FIPS 140-3 validated) > > > > which can be used with the new EVP API to state OpenSSH being FIPS > > > > compliant (using OpenSSL). The problem is, the old API does not use the FIPS > > > > module, therefore the change is needed for the new API. > > While I'm sure this is good for RHEL/rawhide users who care about FIPS, > Portable OpenSSH won't be able to merge this. We explictly aim to support > LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the > OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that > I'd describe as "best effort"). > > If this changes we can look again. Yes, we understand and respect your choice. Would it be acceptable in any form being wrapped in necessary #ifdefs ? -- Dmitry Belyavskiy _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
