Hi,
I used libssh2 1.4.2.
The failure happened in kex.c in function "diffie_hellman_sha1" there is part of code:
#if LIBSSH2_MD5
{
libssh2_md5_ctx fingerprint_ctx;
libssh2_md5_init(&fingerprint_ctx);
libssh2_md5_update(fingerprint_ctx, session->server_hostkey,
session->server_hostkey_len);
libssh2_md5_final(fingerprint_ctx, session->server_hostkey_md5);
}
which must not be called when MD5 is not available. That's why I concentrated on setting properly the "LIBSSH2_MD5".
JanO
On Mon, 12 Aug 2013 15:49:36 +0200, Kamil Dudka <kdudka_at_redhat.com> wrote:
> On Monday, August 12, 2013 15:00:04 Ján Osuský wrote:
>> Hi,
>>
>> I tried to build libssh2 on FIPS 140-2 compliant RedHat Linux. The build
>> succeeded but the actual connections failed during key exchange phase. I
>> noticed that it was related to use of non-FIPS compliant algorithms (namely
>> MD5) which are not available in libcrypto when in FIPS mode. I fixed it by
>> patching "src/openssl.h". If there is a better way, let me know. Anyhow, my
>> patch is attached, have fun.
>
> Thanks for heads up! Could you please provide more details on how you
> triggered the failure, what version of libssh2 you were using, and what
> application you were running on top of libssh2?
>
> The patch does not seem to be right because it disables the algorithms
> at compile time. The decision about which algorithm to use should be
> postponed to the run time IMO.
>
> Kamil
>
-- Ján Osuský (Jan.Osusky_at_iblsoft.com) IBL Software Engineering, http://www.iblsoft.com Galvaniho 17/C, 82104 Bratislava, Slovakia Tel: +421-2-32662111, fax: +421-2-32662110 _______________________________________________ libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-develReceived on 2013-08-12