Thanks for your prompt response . Do you have the name of the patch to share with us?
Thanks Anamitra On 2/23/11 1:42 PM, "Dr. Stephen Henson" <st...@openssl.org> wrote: > On Wed, Feb 23, 2011, anmajumd wrote: > >> >> We recently built FIPS compliant openssl 0.9.8q. Earlier we were using >> 0.9.8l . With ssh binaries linked to FIPS compliant OpenSSL 0.9.8q, when >> running the OpenSSH client, connection setup fails during verification of >> the server key. >> We did not not run into this SSH issue with 0.9.8l. Has anything changed >> between 0.9.8l and 0.9.8q that would cause this? >> >> The call to OpenSSL that ultimately fails is RSA_public_decrypt(). Has it >> somehow been tightened up . >> > > Yes, you aren't allowed to call RSA_public_decrypt() directly in FIPS mode: > instead you have to use the EVP interface for EVP_Verify*(). There is a patch > which changes the ssh code to use EVP instead (while still being compatible > with other versions of OpenSSL). > > Due to a bug the restriction wasn't enforced in some versions of OpenSSL. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
