Subject: Re: building libssh2 on FIPS enabled system

Re: building libssh2 on FIPS enabled system

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Mon, 12 Aug 2013 15:49:36 +0200

On Monday, August 12, 2013 15:00:04 Ján Osuský wrote:
> Hi,
>
> I tried to build libssh2 on FIPS 140-2 compliant RedHat Linux. The build
> succeeded but the actual connections failed during key exchange phase. I
> noticed that it was related to use of non-FIPS compliant algorithms (namely
> MD5) which are not available in libcrypto when in FIPS mode. I fixed it by
> patching "src/openssl.h". If there is a better way, let me know. Anyhow, my
> patch is attached, have fun.

Thanks for heads up! Could you please provide more details on how you
triggered the failure, what version of libssh2 you were using, and what
application you were running on top of libssh2?

The patch does not seem to be right because it disables the algorithms
at compile time. The decision about which algorithm to use should be
postponed to the run time IMO.

Kamil

_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2013-08-12