Hello, Some background -- I've had good luck in the past creating a functional FIPs-enabled OpenSSL and OpenSSH using these components:
fipscanister build from openssl-fips-1.2.tar.gz openssl 0.9.8l openssh (5.2p1 or 5.3p1) ssh patch for FIPS: http://cvs.fedoraproject.org/viewvc/devel/openssh/openssh-5.3p1-fips.patch?revision=1.2&content-type=text%2Fplain&view=co I've been able to rebuild using openssl 0.9.8n, but when running the ssh client connection setup fails during verification of the server's key. The key question is, I think, what has changed in 0.9.8m or 0.9.8n that would cause this? The only thing I've changed is the openssl version. The call to OpenSSL that ultimately fails is RSA_public_decrypt(). Has it somehow been tightened up such that in some situations it would function differently than before? Any help would be greatly appreciated. Here's part of the debug messages produced when trying to use `ssh`: [cow...@pkg8 /usr/home/cowens]$ ssh -vv 10.173.100.112 OpenSSH_5.2p1 FreeBSD-openssh-portable-overwrite-base-5.2.p1_2,1, OpenSSL 0.9.8n-fips 24 Mar 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to 10.173.100.112 [10.173.100.112] port 22. debug1: Connection established. ... debug1: kex: server->client aes128-cbc hmac-sha1 none debug2: mac_setup: found hmac-sha1 debug1: kex: client->server aes128-cbc hmac-sha1 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 152/320 debug2: bits set: 1058/2048 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '10.173.100.112' is known and matches the RSA host key. debug1: Found key in /home/cowens/.ssh/known_hosts:2 debug2: bits set: 1033/2048 bad decrypted len: 0 != 20 + 15 debug1: ssh_rsa_verify: signature incorrect key_verify failed for server_host_key Thank you, Charles -- ==== Charles Owens ==== ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org