On 09/21/2015 05:12 PM, security veteran wrote: > Thanks Steve. > > Just out of my curiosity that I can image there might already be a lot > of companies use the OpenSSL FIPS modules for the FIPS validation. > Since OpenSSH is almost everywhere in most of the server/ appliance > products, people should have run into the "OpenSSH not working with > OpenSSL FIPS mode" issue before. Yup, frequently. > Do you know how do most people resolve > problems like this? Do they mostly use the OpenSSH patch to build the > FIPS compliant version of OpenSSH, or did people do something else to > resolve the issue? I can't claim to know what "most" users do. I know that multiple software vendors have independently hacked OpenSSH for use in DoD (do a search on "site:csrc.nist.gov/groups/STM/cmvp/documents/ openssh" and you'll see a number of validated modules that specifically mention OpenSSH). I also know from consulting within DoD for many years that OpenSSH is often used unmodified, a policy violation that often went completely unnoticed. As a consultant I hacked OpenSSH multiple times for DoD clients and vendors to DoD clients, and I'm sure I wasn't the only one. There are also a handful of commercial knockoffs of OpenSSH supposedly adapted for DoD compliance, though I've been out of that arena long enough to no longer recall their names. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
