[ssh_x509] OpenSSH Running Under OpenSSL Build with FIPS Module

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sat Feb 6 11:48:35 EET 2016


Hello,
ssh_x509 at roumenpetrov.info wrote:
> Hi Roumen ,                 I have a question about running OpenSSH under OpenSSL build with FIPS module. When OpenSSH is build to run under OpenSSL then does OpenSSH starts using OpenSSL's  DRNG / RNG or do I need to make changes in code to ensure that OpenSSH uses OpenSSL DRNG / RNG ?  Thanks,
> Regards,
> -Mofassir

Method FIPS_mode_set always assign "FIPS random method"(SP800-90 DRBG) 
if argument is true, i.e. switch cryptographic module in FIPS mode.
PKIX-SSH calls FIPS_mode_set in all SSH binaries during openssl 
initialization. Initialization is performed before other operations.  
SSH code does not try to change RAND method.
So call of FIPS_mode_set shoudl be sufficient.


Roumen





More information about the ssh_x509 mailing list