[ssh_x509] OpenSSL 3.0 FIPS provider

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Fri Aug 26 10:08:19 EEST 2022


ssh_x509 at roumenpetrov.info wrote:

> Hello,
> ssh_x509 at roumenpetrov.info wrote:
>> Hi,
>> Are there any plans to support OpenSSL 3's FIPS provider? Apache's httpd
>> mod_ssl now wraps the FIPS_mode function calls based on the OpenSSL
>> version,
> It seems to me OpenSSL 3.0 is not production ready.
> About two years regression test fail with openssl master, i.e. basis for 3.0. This period prevents attempts to implement provider based keys.
> There is other task  to do with priority. Lets see workable and more stable OpenSSL API first. Implementation and use of provider based keys is planed for OpenSSL 3.1. API and in this context FIPS support.
>> https://svn.apache.org/viewvc?view=revision&revision=1901470

Now I have time to check commit. It seem to me this is yet another useless function rename done by OpenSSL team.

* PKIX-SSH 13.4.1 has work-around for OpenSSL 3.0:
Note due to broken design OpenSSL 3.0 cannot ensure compatibility with existing code base. Reordered PKIX-SSH code allows to throw away mis-functional OpenSSL 3.0 key manager from keys.

Related: https://github.com/openssl/openssl/issues/17286

* e_nss 4.0 adds support OpenSSL 3+ :  Work-around for buggy engine related key management in OpenSSL 3+. ...

Related: https://github.com/openssl/openssl/issues/17092

So if is activated we could expect failures if identity is obtained from engines or from secure token. Also expected is failure in hostbased authentication.

Modification similar to Apache could be applied but it must be considered as highly experimental.

>> Thanks,
>> Joe
> Roumen


More information about the ssh_x509 mailing list