<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
You will need to patch OpenSSH to not call the SHA256_XXX() APIs directly. To work with FIPS enabled, the EVP API must be used for all crypto operations.
<div class=""><br class="">
<div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class="">--</div>
<div class="">-Todd Short</div>
<div class="">// <a href="mailto:tshort@akamai.com" class="">tshort@akamai.com</a></div>
<div class="">// "One if by land, two if by sea, three if by the Internet."</div>
</div>
</div>
</div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">On Jun 11, 2018, at 10:44 AM, Sandeep Deshpande <<a href="mailto:sandeep.bvb@gmail.com" class="">sandeep.bvb@gmail.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" class="">Thanks for the reply. Our appliance is enabled in FIPS mode by default.
<div class="">All these days, we were using openssh 6.2 with openssl 0.9.8. </div>
<div class="">Now we need to upgrade openssl to 1.0.2j. </div>
<div class="">But we would not like to upgrade openssh at this time.</div>
<div class=""><br class="">
</div>
<div class="">So is there is any other way we can still make it work without disabling FIPS mode ?</div>
<div class=""><br class="">
</div>
<div class="">Thanks,</div>
<div class="">Sandeep</div>
</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Sat, Jun 9, 2018 at 10:38 AM, Viktor Dukhovni <span dir="ltr" class="">
<<a href="mailto:openssl-users@dukhovni.org" target="_blank" class="">openssl-users@dukhovni.org</a>></span> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class=""><br class="">
<br class="">
> On Jun 9, 2018, at 1:35 PM, Sandeep Deshpande <<a href="mailto:sandeep.bvb@gmail.com" class="">sandeep.bvb@gmail.com</a>> wrote:<br class="">
> <br class="">
> We have compiled and built older version (6.2p2) of openssh with 1.0.2j version of openssl.
<br class="">
> When the system in is crypto mode, we are getting the following error when a user logs in :<br class="">
> "<br class="">
> OpenSSL internal error, assertion failed: Low level API call to digest SHA256 forbidden in FIPS mode "
<br class="">
> <br class="">
> How do we overcome this without having to upgrade openssh ? <br class="">
<br class="">
</span>Don't enable FIPS mode.<br class="">
<span class="HOEnZb"><font color="#888888" class=""><br class="">
-- <br class="">
Viktor.<br class="">
<br class="">
-- <br class="">
openssl-users mailing list<br class="">
To unsubscribe: <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Dusers&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=QBEcQsqoUDdk1Q26CzlzNPPUkKYWIh1LYsiHAwmtRik&m=CWhX-q3QUS_vzMnQf34oGSuK7cOZkzUMz8LqhTQNmxM&s=KZktgcWyDdc5hW87YGjfdSY-0FapGOnJnYP6IQ_3H9Q&e=" rel="noreferrer" target="_blank" class="">
https://mta.openssl.org/<wbr class="">mailman/listinfo/openssl-users</a><br class="">
</font></span></blockquote>
</div>
<br class="">
</div>
-- <br class="">
openssl-users mailing list<br class="">
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" class="">
https://mta.openssl.org/mailman/listinfo/openssl-users</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>