On Friday, July 25, 2014 10:08:02 Bert Huijben wrote:
> If I remember correctly there is a compile time flag for libssh2 to enable a
> strict fips mode.
I do not think so. Did not you mean a compile time flag for OpenSSL?
> I would guess this might break compatibility with some (probably older) ssh
> implementations that don't implement newer (optional) cyphers.
>
> Bert
>
> -----Original Message-----
> From: "john gloster" <glosterj9_at_gmail.com>
> Sent: 25-7-2014 09:33
> To: "libssh2-devel_at_cool.haxx.se" <libssh2-devel_at_cool.haxx.se>
> Subject: FIPS Compliance.
>
> Hi,
>
>
> I wanted to know whether libssh2 1.4.2/1.4.3 are compatible with FIPS
> compliant OpenSSL version openssl-1.0.0-20 ?
I pushed a few FIPS-related patches between 1.4.2 and 1.4.3:
http://git.libssh2.org/?p=libssh2.git;a=commitdiff;h=43b730c
http://git.libssh2.org/?p=libssh2.git;a=commitdiff;h=bfbb5a4
http://git.libssh2.org/?p=libssh2.git;a=commitdiff;h=5d567fa
http://git.libssh2.org/?p=libssh2.git;a=commitdiff;h=9f6fd5a
> I compiled libssh2 1.4.3 with this particular version of openssl and i could
> see that my application linking to this libssh crashes.
>
>
> In other cases, my application runs successfully if i compile libssh2 1.4.3
> with openssl-1.0.1e-16.
>
>
> Could some one please shed light on this one?
The basic idea behind those patches is to return a failure if a non-FIPS
algorithm (such as MD5) is requested by the application. So libssh2 should
no longer crash on its own. Still you need to handle these failures in your
application in order not to crash anyway.
Kamil
> Alternately please let me know whether i can configure libssh2 to use a
> particular set crypto algorithms supported by the openssl.
>
>
> Thanking you on advance.
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2014-07-25