OpenSSH does not work with the FIPS mode of OpenSSL. This has been discussed both here and on the OpenSSH list.
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of cloud force Sent: Friday, February 12, 2016 11:44 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] no version information available error Thanks Jakob for the detailed info. On Thu, Feb 11, 2016 at 7:50 AM, Jakob Bohm <jb-open...@wisemo.com<mailto:jb-open...@wisemo.com>> wrote: On 10/02/2016 22:46, cloud force wrote: Hi Everyone, I installed the FIPS capable openssl library (which was built by myself) on my Ubuntu linux box. For some reason, I keep running into the following errors whenever I run ssh related command: ssh: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version information available (required by ssh) The same error happens when I ran openssl command such as the following: linux-fips@ubuntu:/usr/local/ssl/lib$ openssl ciphers -v | wc -l openssl: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version information available (required by openssl) openssl: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version information available (required by openssl) openssl: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version information available (required by /lib/x86_64-linux-gnu/libssl.so.1.0.0) openssl: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version information available (required by /lib/x86_64-linux-gnu/libssl.so.1.0.0) The Debian-family (includes Ubuntu) standard OpenSSL shared libraries is built in a special way to include "version tags" in the resulting .so files, and all the openssl-needing binaries in Debian/Ubuntu/etc. produce the error message above if you install copies of those libraries without those extra "version tags". There are two alternative ways to solve this: A) Build your FIPS-cabable OpenSSL (not the FIPScanister) with all the extra steps and patches in the Ubuntu OpenSSL source package (.dsc etc.), just adding the FIPS canister. Note that some of the patches in the source package are backports of the security fixes included in the latest OpenSSL versions, you'll probably have to figure out the details yourself (unless Kurt Roeckz posts a recipe somewhere). B) Patch your FIPS-capable OpenSSL makefile (not the FIPScanister makefile) to use a different .so-version, such as .so.1.0.2 . Then your private openssl build will not be used by the prepackaged software while software explicitly compiled against your locally build OpenSSL will not accidentally pick up the standard non-FIPS OpenSSL. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10<tel:%2B45%2031%2013%2016%2010> This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Thanks, Rich
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
