[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: libssh FIPS support


On Wed, 2020-05-13 at 20:18 +0530, jijo thomas wrote:
> Glad to know that it is working in RHEL8.
> I will check the openssl versions included in that package.
> 
> But here I'm trying to build everything in Windows using Visual
> Studio 2017.
> Used the following sources to build the libraries.
> 
> Openssl-fips (2.0.16)(latest available in openssl site):
> https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz
> Openssl (1.0.2):
> https://www.openssl.org/source/old/1.0.2/openssl-1.0.2u.tar.gz
> 
> Both the above can be compiled together. But it won't support libssh
> 0.9.4.

Hell,
Thanks for clarification.

Libssh should build fine against openssl 1.0.2, as far as I know. We
run it in CI against CentOS 7. But it is EOL and the version certainly
does not have all the features that are needed for FIPS compliance.

> It requires openssl 1.1.1
> 
> openssl (1.1.1) : 
> https://www.openssl.org/source/openssl-1.1.1g.tar.gz
> 
> Now this version of openssl (1.1.1) won't compile using Openssl-fips
> (2.0.16)

This is probably something to discuss with openssl developers, why
their FIPS module is not up to date. I don't know the reasons, but I
would be surprised if they would plan to do something with that for
1.1.1 version when 3.0 is on the way out.

You can try to build OpenSSL from CentOS 8 sources [1] (sorry, I can
not be more helpful in the way what all is done there to make it
working). But even if you would build it, the openssl build would have
to be taken through the FIPS certification (as mentioned by Anderson
before) to be really FIPS compliant.

[1] https://git.centos.org/rpms/openssl/blob/c8/f/SOURCES

Regards,
Jakub

> That is where I'm stuck.
> 
> --
> Jijo
> 
> 
> On Wed, May 13, 2020 at 8:06 PM Jakub Jelen <jjelen@xxxxxxxxxx>
> wrote:
> 
> > On Wed, 2020-05-13 at 19:19 +0530, jijo thomas wrote:
> > > I'm confused now. Following is from libssh release note.
> > > 
> > > "When libssh is built against a recent version of OpenSSL we will
> > > use
> > > the
> > > new APIs for KEX, DH, KDF and signatures. This is especially
> > > required
> > > for
> > > FIPS compatibility"
> > > 
> > > So the above cannot be achieved with any released versions of
> > > openssl-fips?
> > 
> > I assume you are referring to ubuntu package called openssl-fips
> > which
> > is providing openssl fips module. I don't know if they did release
> > any
> > openssl-fips package that would support SSH KDF -- I assume not
> > (but
> > you should consult your vendor).
> > 
> > In RHEL8, normal openssl package is a FIPS module supporting all
> > above
> > and therefore the fips compliance can be achieved.
> > 
> > Regards,
> > Jakub
> > 
> > > --
> > > Jijo
> > > 
> > > On Tue, May 12, 2020 at 7:56 PM Anderson Sasaki <
> > > ansasaki@xxxxxxxxxx>
> > > wrote:
> > > 
> > > > ----- Original Message -----
> > > > > From: "jijo thomas" <jijo7thomas@xxxxxxxxx>
> > > > > To: libssh@xxxxxxxxxx
> > > > > Sent: Tuesday, May 12, 2020 3:44:58 PM
> > > > > Subject: Re: libssh FIPS support
> > > > > 
> > > > > Latest available openssl FIPS module is 2.0.16 which is
> > > > > compatible with
> > > > > openssl 1.0.2
> > > > > But libssh 0.9.4 require openssl 1.1.1
> > > > > 
> > > > > I don't think openssl 1.1.1g could be compiled with openssl-
> > > > > fips-
> > > > > 2.0.16
> > > > (at
> > > > > least I was not able to do that)
> > > > > 
> > > > > What am I missing here, to compile libssh with FIPS support
> > > > > in
> > > > > windows?
> > > > 
> > > > A FIPS certified module is not something you can compile in
> > > > your
> > > > machine.
> > > > The module (which is in this case a binary) needs to be tested
> > > > by
> > > > an
> > > > accredited laboratory and approved by NIST, which is an
> > > > expensive
> > > > and
> > > > usually long process.
> > > > What you are missing is the OpenSSL 1.1.1 certified module for
> > > > windows,
> > > > which probably doesn't exist (I'm not aware of any).
> > > > 
> > > > 
> > > > 
> > --
> > Jakub Jelen
> > Senior Software Engineer
> > Security Technologies
> > Red Hat, Inc.
> > 
> > 
> > 
-- 
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.


References:
libssh FIPS supportjijo thomas <jijo7thomas@xxxxxxxxx>
Re: libssh FIPS supportJakub Jelen <jjelen@xxxxxxxxxx>
Re: libssh FIPS supportjijo thomas <jijo7thomas@xxxxxxxxx>
Re: libssh FIPS supportAnderson Sasaki <ansasaki@xxxxxxxxxx>
Re: libssh FIPS supportjijo thomas <jijo7thomas@xxxxxxxxx>
Re: libssh FIPS supportJakub Jelen <jjelen@xxxxxxxxxx>
Re: libssh FIPS supportjijo thomas <jijo7thomas@xxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org