Re: libssh FIPS support

[Jakub Jelen <jjelen@xxxxxxxxxx>]

On Wed, 2020-05-13 at 19:19 +0530, jijo thomas wrote:
> I'm confused now. Following is from libssh release note.
> 
> "When libssh is built against a recent version of OpenSSL we will use
> the
> new APIs for KEX, DH, KDF and signatures. This is especially required
> for
> FIPS compatibility"
> 
> So the above cannot be achieved with any released versions of
> openssl-fips?

I assume you are referring to ubuntu package called openssl-fips which
is providing openssl fips module. I don't know if they did release any
openssl-fips package that would support SSH KDF -- I assume not (but
you should consult your vendor).

In RHEL8, normal openssl package is a FIPS module supporting all above
and therefore the fips compliance can be achieved.

Regards,
Jakub

> --
> Jijo
> 
> On Tue, May 12, 2020 at 7:56 PM Anderson Sasaki <ansasaki@xxxxxxxxxx>
> wrote:
> 
> > 
> > ----- Original Message -----
> > > From: "jijo thomas" <jijo7thomas@xxxxxxxxx>
> > > To: libssh@xxxxxxxxxx
> > > Sent: Tuesday, May 12, 2020 3:44:58 PM
> > > Subject: Re: libssh FIPS support
> > > 
> > > Latest available openssl FIPS module is 2.0.16 which is
> > > compatible with
> > > openssl 1.0.2
> > > But libssh 0.9.4 require openssl 1.1.1
> > > 
> > > I don't think openssl 1.1.1g could be compiled with openssl-fips-
> > > 2.0.16
> > (at
> > > least I was not able to do that)
> > > 
> > > What am I missing here, to compile libssh with FIPS support in
> > > windows?
> > 
> > A FIPS certified module is not something you can compile in your
> > machine.
> > The module (which is in this case a binary) needs to be tested by
> > an
> > accredited laboratory and approved by NIST, which is an expensive
> > and
> > usually long process.
> > What you are missing is the OpenSSL 1.1.1 certified module for
> > windows,
> > which probably doesn't exist (I'm not aware of any).
> > 
> > 
> > 
-- 
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.