Hi All, Will the Openssl community will release all the openssl with fips support ie next release of openssl will support fips capability?
Thanks Joshi Chandran On Mon, Jan 12, 2009 at 7:23 PM, Steve Marquess <marqu...@oss-institute.org>wrote: > PGNet wrote: > >> On Sun, Jan 11, 2009 at 3:42 PM, Steve Marquess < >> marqu...@oss-institute.org> wrote: >> >>> Long story short, OpenSSH really needs some source mods to >>> gracefully invoke and run in FIPS mode. >>> >> >> Hrm ... I'd have thought that openssh would be amoong the 1st/best @ >> compliance. >> > > Me too. I embarked on this FIPS validation adventure some six years ago > because my DoD client at the time wanted a FIPS validated OpenSSH. I > wrote a patch several years ago but didn't push it at the time because > the first OpenSSL FIPS Object Module validation was still pending, and > encountering some significant opposition that took all my attention. > Now the OpenSSH patch is not a priority for any of my clients and I > don't have the spare time to pursue it. I'd love to see someone else > follow it through. > > To my knowledge Stunnel is the first application to formally support the > FIPS object Module. I've been told ProFTP has baselined support as > well. I've heard privately from many people who have done local mods of > various applications, but have been disappointed in how slowly this > support is appearing publicly. > > Several people, myself included, have created patches to that end. >>> >> >> Are those specific patches sourced in the openssl trees, the openssh >> trees, or somewhere else? I'll google, but if you have URLs ... >> > > I could point you to my original very dated patch but I know there are > some more recent updates. Check the OpenSSH mail archives. > > Of course, if you don't plan to actually run in FIPS mode and just >>> need buzzword compliance (often the case) then what you plan should >>> work. >>> >> >> We've gotten a heads-up that a gov't client will require in the next >> (soon, tho hasn't occurred just yet ...) contract that SSH/VPN/IPSec/etc >> comms will be required. Of course, detailed spec, verification, etc is not >> yet available. >> >> $10 says it's for _their_ buzzword compliance .... >> > > Very typical for DoD. The mandates for *procurement* of validated > software are (increasingly) enforced, but there doesn't seem to be any > effective push to actually *use* a runtime FIPS mode. That lack of > pressure plus the interoperability issues that FIPS mode can cause means > program managers have zero incentive to actually run anything in FIPS > mode. It's a paper chase. > > My goal is to get an all-ssh-in-fips-mode setup demo'd locally, then hand >> it off to our tech folks so that we can then respond & document when the >> demand occurs. >> > > Please consider posting your patches to the OpenSSH lists... > > -Steve M. > > -- > Steve Marquess > Open Source Software Institute > marqu...@oss-institute.org > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- Regards Joshi Chandran