[openssl-users] Error compiling openssh with openssl

[Jakob Bohm]

On 11/06/2018 18:14, Michael Wojcik wrote:
>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Salz, Rich via openssl-users
>> Sent: Monday, June 11, 2018 08:52
>>>   So is there is any other way we can still make it work without disabling FIPS mode ?
>> No.  The version of openssh you are using makes API calls that are not allowed in FIPS mode. I suspect
>> later versions of OpenSSH also do this, and therefore “FIPS mode openssh” will require some coding work.
> The OP should also note this also implies this is an issue in OpenSSH, not OpenSSL. OpenSSL is working properly. FIPS 140-2 has various requirements, and OpenSSH is violating one of them.
>
> And, further, note that even if there were a way to suppress this check without disabling FIPS mode, that would be pointless. A product that uses non-FIPS cryptography cannot claim FIPS validation or "FIPS Inside" (which is the claim that only FIPS-validated cryptography is used). Consequently, such a product doesn't meet the FIPS requirement, for customers who have such a requirement; and there's little or no other benefit to FIPS.
Note that what seems to be violated here is not the FIPS requirements as
such, but the OpenSSL-specific rule that the older crypto functions are
not directed to the FIPS blob, just outright rejected.  In this case,
that the more easy to use SHA256 OpenSSL 1.0.x API isn't forwarded to
the FIPS validated SHA256 implementation.

I don't know if FIPS-enabled OpenSSL 0.9.8 forwarded those calls to the
old FIPS validated implementation or just left the non-FIPS implementation
available by accident.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded