[openssl-users] Enabling FIPS on an custom embedded system.

Steve Marquess marquess at openssl.com
Thu Oct 27 12:12:18 UTC 2016

On 10/26/2016 06:06 PM, Eric Tremblay wrote:
> Hi Steve,
> Thanks for the quick reply.
> That is what I had understand from my reading but wasn't sure.
> My next question is about OpenSSH.  There is no official support in
> OpenSSH for FIPS at the moment right ?
> Thanks
> Eric

No, and there never will be; as I understand it the OpenSSH project has
taken the position that FIPS 140 isn't a desirable feature for OpenSSH.
TBH they have a point; from any technical perspective (e.g. security,
performance, maintainability) FIPS support is a negative. Ditto x.509
where the OpenSSH project has implemented a much simpler and more robust
certificate scheme.

You can find a rather old patch at
http://openssl.com/export/openssh/openssh-6.0p1.fips-revised.patch, but
note that OpenSSH has evolved considerably since then.

There is another issue to consider as well. The only sane reason to use
FIPS 140 validated software is for deployment in environments where such
validation is a mandatory policy requirement. The US DoD is the largest
such environment, and there x.509 is also a mandate. Roumen Petrov has
for years maintained patches to add x.509 support to OpenSSH
(http://roumenpetrov.info/openssh/), but hacking OpenSSH for both FIPS
140 and x.509 is not a project for the faint-hearted, and since OpenSSH
is unlikely to ever add either feature officially you're left with a
long maintenance tail.

-Steve M.

Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list