On 10/26/2016 06:06 PM, Eric Tremblay wrote: > Hi Steve, > > Thanks for the quick reply. > > That is what I had understand from my reading but wasn't sure. > > My next question is about OpenSSH. There is no official support in > OpenSSH for FIPS at the moment right ? > > Thanks > > Eric > No, and there never will be; as I understand it the OpenSSH project has taken the position that FIPS 140 isn't a desirable feature for OpenSSH. TBH they have a point; from any technical perspective (e.g. security, performance, maintainability) FIPS support is a negative. Ditto x.509 where the OpenSSH project has implemented a much simpler and more robust certificate scheme. You can find a rather old patch at http://openssl.com/export/openssh/openssh-6.0p1.fips-revised.patch, but note that OpenSSH has evolved considerably since then. There is another issue to consider as well. The only sane reason to use FIPS 140 validated software is for deployment in environments where such validation is a mandatory policy requirement. The US DoD is the largest such environment, and there x.509 is also a mandate. Roumen Petrov has for years maintained patches to add x.509 support to OpenSSH (http://roumenpetrov.info/openssh/), but hacking OpenSSH for both FIPS 140 and x.509 is not a project for the faint-hearted, and since OpenSSH is unlikely to ever add either feature officially you're left with a long maintenance tail. -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess@xxxxxxxxxxx gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
