On 11/06/2018 18:14, Michael Wojcik wrote:
From: openssl-users [mailto:[email protected]] On Behalf Of
Salz, Rich via openssl-users
Sent: Monday, June 11, 2018 08:52
So is there is any other way we can still make it work without disabling FIPS
mode ?
No. The version of openssh you are using makes API calls that are not allowed
in FIPS mode. I suspect
later versions of OpenSSH also do this, and therefore “FIPS mode openssh” will
require some coding work.
The OP should also note this also implies this is an issue in OpenSSH, not
OpenSSL. OpenSSL is working properly. FIPS 140-2 has various requirements, and
OpenSSH is violating one of them.
And, further, note that even if there were a way to suppress this check without disabling
FIPS mode, that would be pointless. A product that uses non-FIPS cryptography cannot
claim FIPS validation or "FIPS Inside" (which is the claim that only
FIPS-validated cryptography is used). Consequently, such a product doesn't meet the FIPS
requirement, for customers who have such a requirement; and there's little or no other
benefit to FIPS.
Note that what seems to be violated here is not the FIPS requirements as
such, but the OpenSSL-specific rule that the older crypto functions are
not directed to the FIPS blob, just outright rejected. In this case,
that the more easy to use SHA256 OpenSSL 1.0.x API isn't forwarded to
the FIPS validated SHA256 implementation.
I don't know if FIPS-enabled OpenSSL 0.9.8 forwarded those calls to the
old FIPS validated implementation or just left the non-FIPS implementation
available by accident.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
