[openssl-users] Is there any patch for OpenSSH for it to work with OpenSSL FIPS?

Steve Marquess marquess at openssl.com
Mon Sep 21 21:25:12 UTC 2015

On 09/21/2015 05:12 PM, security veteran wrote:
> Thanks Steve.
> Just out of my curiosity that I can image there might already be a lot
> of companies use the OpenSSL FIPS modules for the FIPS validation.
> Since OpenSSH is almost everywhere in most of the server/ appliance
> products, people should have run into the "OpenSSH not working with
> OpenSSL FIPS mode" issue before.

Yup, frequently.

> Do you know how do most people resolve
> problems like this? Do they mostly use the OpenSSH patch to build the
> FIPS compliant version of OpenSSH, or did people do something else to
> resolve the issue?

I can't claim to know what "most" users do. I know that multiple
software vendors have independently hacked OpenSSH for use in DoD (do a
search on "site:csrc.nist.gov/groups/STM/cmvp/documents/ openssh" and
you'll see a number of validated modules that specifically mention
OpenSSH). I also know from consulting within DoD for many years that
OpenSSH is often used unmodified, a policy violation that often went
completely unnoticed. As a consultant I hacked OpenSSH multiple times
for DoD clients and vendors to DoD clients, and I'm sure I wasn't the
only one. There are also a handful of commercial knockoffs of OpenSSH
supposedly adapted for DoD compliance, though I've been out of that
arena long enough to no longer recall their names.

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list