[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: libssh FIPS support


I'm confused now. Following is from libssh release note.

"When libssh is built against a recent version of OpenSSL we will use the
new APIs for KEX, DH, KDF and signatures. This is especially required for
FIPS compatibility"

So the above cannot be achieved with any released versions of openssl-fips?


--
Jijo

On Tue, May 12, 2020 at 7:56 PM Anderson Sasaki <ansasaki@xxxxxxxxxx> wrote:

>
>
> ----- Original Message -----
> > From: "jijo thomas" <jijo7thomas@xxxxxxxxx>
> > To: libssh@xxxxxxxxxx
> > Sent: Tuesday, May 12, 2020 3:44:58 PM
> > Subject: Re: libssh FIPS support
> >
> > Latest available openssl FIPS module is 2.0.16 which is compatible with
> > openssl 1.0.2
> > But libssh 0.9.4 require openssl 1.1.1
> >
> > I don't think openssl 1.1.1g could be compiled with openssl-fips-2.0.16
> (at
> > least I was not able to do that)
> >
> > What am I missing here, to compile libssh with FIPS support in windows?
>
> A FIPS certified module is not something you can compile in your machine.
> The module (which is in this case a binary) needs to be tested by an
> accredited laboratory and approved by NIST, which is an expensive and
> usually long process.
> What you are missing is the OpenSSL 1.1.1 certified module for windows,
> which probably doesn't exist (I'm not aware of any).
>
>
>

Follow-Ups:
Re: libssh FIPS supportJakub Jelen <jjelen@xxxxxxxxxx>
References:
libssh FIPS supportjijo thomas <jijo7thomas@xxxxxxxxx>
Re: libssh FIPS supportJakub Jelen <jjelen@xxxxxxxxxx>
Re: libssh FIPS supportjijo thomas <jijo7thomas@xxxxxxxxx>
Re: libssh FIPS supportAnderson Sasaki <ansasaki@xxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org