Mailing List Archive: Open SSH and FIPS 140-2

Open SSH and FIPS 140-2

Nov 10, 2010, 8:32 AM

Post #1 of 3 (6914 views)

I have an application where I have to implement SFTP file transfers with FIPS 140-2 certified encryption.
I've been trying to find out if I can use Open SSH for this or if I have to buy a commercial solution.
Essentially I have two questions.

1) Can I compile Open SSH from source using the Open SSL Fips sources and "inherit" the Fips certification?
2) Has anybody compiled Open SSH using the Fips Open SSL sources and can they give me any pointers on how to do that?

Any data on the difficulty or time involved would be appreciated since I have to justify the final decision to
my $BOSS. I would be doing this on a Sun SPARC system running Solaris 10. I have access to both gcc and the
Sun Workshop compilers and would appreciate any insight on either or both.

TIA
Paul

Paul S. Hrolenok
Senior Consultant
ID Services Group
http://www.intelligent.net
Recognized on Washingtonian Magazine's 50 Great Places to Work list - 2009

Re: Open SSH and FIPS 140-2 [ In reply to ]

amuse at foofus

Nov 10, 2010, 8:49 AM

Post #2 of 3 (6828 views)

Permalink

Paul: When you compile OpenSSH against OpenSSL in FIPS mode, your
OpenSSH will inherit the FIPS 140-2 certification which applies to OpenSSL.

More info here: http://www.openssl.org/docs/fips/UserGuide-1.2.pdf

On 11/10/10 8:32 AM, Hrolenok, Paul wrote:
> I have an application where I have to implement SFTP file transfers with FIPS 140-2 certified encryption.
> I've been trying to find out if I can use Open SSH for this or if I have to buy a commercial solution.
> Essentially I have two questions.
>
> 1) Can I compile Open SSH from source using the Open SSL Fips sources and "inherit" the Fips certification?
> 2) Has anybody compiled Open SSH using the Fips Open SSL sources and can they give me any pointers on how to do that?
>
> Any data on the difficulty or time involved would be appreciated since I have to justify the final decision to
> my $BOSS. I would be doing this on a Sun SPARC system running Solaris 10. I have access to both gcc and the
> Sun Workshop compilers and would appreciate any insight on either or both.
>
> TIA
> Paul
>
> Paul S. Hrolenok
> Senior Consultant
> ID Services Group
> http://www.intelligent.net
> Recognized on Washingtonian Magazine's 50 Great Places to Work list - 2009

Re: Open SSH and FIPS 140-2 [ In reply to ]

ibug_1 at comcast

Nov 10, 2010, 3:12 PM

Post #3 of 3 (6815 views)

Permalink

Are you sure that is true? Where in that doc does it say a product or the crypto part of the product inherits FIPS certified if you compile it correctly?

I'm pretty sure our products with open source code still goes to a lab to be FIPS certified. Can't see how you can get a FIPS certificate w/out being formally tested. You're product might run FIPS certified code but it won't be FIPS certified.

At 11:49 AM 11/10/2010, AMuse wrote:

>Paul: When you compile OpenSSH against OpenSSL in FIPS mode, your OpenSSH will inherit the FIPS 140-2 certification which applies to OpenSSL.
>
>More info here: http://www.openssl.org/docs/fips/UserGuide-1.2.pdf
>
>On 11/10/10 8:32 AM, Hrolenok, Paul wrote:
>>I have an application where I have to implement SFTP file transfers with FIPS 140-2 certified encryption.
>>I've been trying to find out if I can use Open SSH for this or if I have to buy a commercial solution.
>>Essentially I have two questions.
>>
>>1) Can I compile Open SSH from source using the Open SSL Fips sources and "inherit" the Fips certification?
>>2) Has anybody compiled Open SSH using the Fips Open SSL sources and can they give me any pointers on how to do that?
>>
>>Any data on the difficulty or time involved would be appreciated since I have to justify the final decision to
>>my $BOSS. I would be doing this on a Sun SPARC system running Solaris 10. I have access to both gcc and the
>>Sun Workshop compilers and would appreciate any insight on either or both.
>>
>>TIA
>>Paul
>>
>>Paul S. Hrolenok
>>Senior Consultant
>>ID Services Group
>>http://www.intelligent.net
>>Recognized on Washingtonian Magazine's 50 Great Places to Work list - 2009