Is Apache MINA SSHD's implementation FIPS compliant? That is, can MINA SSHD be configured to use a FIPS-compliant cryptographic engine (like openssl), does it clear memory at the appropriate times, etc.?
I do not believe SSHD is FIPS compliant - while it can be configured to use any security provider one likes (it supports SunJCE and Bouncycastle by default) I am not sure it does all that is required of a FIPS compliant module - e.g. " clear memory at the appropriate times". We do several related issues for it (e.g., SSHD-723 <https://issues.apache.org/jira/browse/SSHD-723>) but FIPS certification has not been a priority of the project, nor do I see it being implemented and certified in view of the very limited resources we have - unless some 3rd party undertakes this task.
