Hi,
I used libssh2 1.4.2.
The failure happened in kex.c in function "diffie_hellman_sha1" there is part
of code:
#if LIBSSH2_MD5
{
libssh2_md5_ctx fingerprint_ctx;
libssh2_md5_init(&fingerprint_ctx);
libssh2_md5_update(fingerprint_ctx, session->server_hostkey,
session->server_hostkey_len);
libssh2_md5_final(fingerprint_ctx, session->server_hostkey_md5);
}
which must not be called when MD5 is not available. That's why I concentrated on setting
properly the "LIBSSH2_MD5".
JanO
On Mon, 12 Aug 2013 15:49:36 +0200, Kamil Dudka <kdu...@redhat.com> wrote:
On Monday, August 12, 2013 15:00:04 Ján Osuský wrote:
Hi,
I tried to build libssh2 on FIPS 140-2 compliant RedHat Linux. The build
succeeded but the actual connections failed during key exchange phase. I
noticed that it was related to use of non-FIPS compliant algorithms (namely
MD5) which are not available in libcrypto when in FIPS mode. I fixed it by
patching "src/openssl.h". If there is a better way, let me know. Anyhow, my
patch is attached, have fun.
Thanks for heads up! Could you please provide more details on how you
triggered the failure, what version of libssh2 you were using, and what
application you were running on top of libssh2?
The patch does not seem to be right because it disables the algorithms
at compile time. The decision about which algorithm to use should be
postponed to the run time IMO.
Kamil
--
Ján Osuský (jan.osu...@iblsoft.com)
IBL Software Engineering, http://www.iblsoft.com
Galvaniho 17/C, 82104 Bratislava, Slovakia
Tel: +421-2-32662111, fax: +421-2-32662110
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
