Is there any patch which can i apply for openssh to make it compatible with fips enabled openssl
Thanks Joshi On Thu, Oct 9, 2008 at 5:13 PM, Steve Marquess <[EMAIL PROTECTED]>wrote: > Kyle Hamilton wrote: > >> Okay. Let's see if I can piece together everything I've learned about >> the FIPS experience so far... >> >> FIPS-1.1.2 only generates a static fipscanister, which can only be >> used to generate a static library. (except on Windows, where it can >> be built into a shared library.) >> > > The fipscanister.o for v1.1.2 is generated with position independent code > or not depending on the default build options borrowed from the 0.9.7 > baseline at the time. On Windows it happens that position independent code > is generated automatically, hence that object module can be incorporated in > shared code. On Linux and some other platforms that isn't the case. > > Note we were originally going to test both shared and non-shared builds, > but ran out of money for the test lab fees (each such "platform" variation > drives up the price). > > For v1.2 we decided to just force position independent code generation > universally. > > ... >> >> FIPS-1.1.2 is the most recent validated fipscanister. 1.2.0 is >> currently submitted for review, but there is no timeframe (other than >> 'it could take until the end of the next ice age') for its validation. >> > > The latest info I've heard is that there is a new reviewer (new hire) who > has decided to revisit the entire history of the original validation from > the beginning, i.e. effectively second guessing the CMVP reviewers of those > prior validations. That first validation took five years, an Internet ice > age indeed. > > If you want to test the functionality of FIPS-1.2.0, you need to >> download the latest openssl-0.9.8-fips-test-SNAP-[date].tar.gz from >> the snapshots/ directory, as well as openssl-fips-test-1.2.0.tar.gz >> from the same location. >> >> If you want a currently-validated solution, you need >> openssl-0.9.7m.tar.gz and openssl-fips-1.1.2.tar.gz. >> >> Anyone got any comments on whether I've gotten this right? >> > > You did. > > -Steve M. > > -- > Steve Marquess > Open Source Software Institute > [EMAIL PROTECTED] > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Regards Joshi Chandran
