> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Salz, Rich via openssl-users > Sent: Monday, June 11, 2018 08:52
> > So is there is any other way we can still make it work without disabling > > FIPS mode ? > No. The version of openssh you are using makes API calls that are not > allowed in FIPS mode. I suspect > later versions of OpenSSH also do this, and therefore “FIPS mode openssh” > will require some coding work. The OP should also note this also implies this is an issue in OpenSSH, not OpenSSL. OpenSSL is working properly. FIPS 140-2 has various requirements, and OpenSSH is violating one of them. And, further, note that even if there were a way to suppress this check without disabling FIPS mode, that would be pointless. A product that uses non-FIPS cryptography cannot claim FIPS validation or "FIPS Inside" (which is the claim that only FIPS-validated cryptography is used). Consequently, such a product doesn't meet the FIPS requirement, for customers who have such a requirement; and there's little or no other benefit to FIPS. So, since you can't claim FIPS Inside while using OpenSSH, it seems your choices are: 1) disable FIPS mode and do not claim FIPS Inside; 2) find a commercial SSH implementation that is FIPS-validated, if there is such a thing; or 3) as Rich suggested, modify OpenSSH to only use FIPS-allowed APIs, which I suspect would not be trivial (but I haven't looked into it). This is one of several reasons why FIPS 140-2 is a problem. Unfortunately the FIPS 140-3 effort seems to be moribund, and I haven't heard anything about "ISO FIPS" in some time. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
