Secure Shell
Open SSH and FIPS 140-2 Nov 10 2010 04:32PM
Hrolenok, Paul (phrolenok intelligent net) (1 replies)
Re: Open SSH and FIPS 140-2 Nov 10 2010 04:49PM
AMuse (amuse foofus com) (1 replies)
Re: Open SSH and FIPS 140-2 Nov 10 2010 11:12PM
IBug_1 (ibug_1 comcast net)
Are you sure that is true? Where in that doc does it say a product or the crypto part of the product inherits FIPS certified if you compile it correctly?

I'm pretty sure our products with open source code still goes to a lab to be FIPS certified. Can't see how you can get a FIPS certificate w/out being formally tested. You're product might run FIPS certified code but it won't be FIPS certified.

At 11:49 AM 11/10/2010, AMuse wrote:

>Paul: When you compile OpenSSH against OpenSSL in FIPS mode, your OpenSSH will inherit the FIPS 140-2 certification which applies to OpenSSL.
>
>More info here: http://www.openssl.org/docs/fips/UserGuide-1.2.pdf
>
>On 11/10/10 8:32 AM, Hrolenok, Paul wrote:
>>I have an application where I have to implement SFTP file transfers with FIPS 140-2 certified encryption.
>>I've been trying to find out if I can use Open SSH for this or if I have to buy a commercial solution.
>>Essentially I have two questions.
>>
>>1) Can I compile Open SSH from source using the Open SSL Fips sources and "inherit" the Fips certification?
>>2) Has anybody compiled Open SSH using the Fips Open SSL sources and can they give me any pointers on how to do that?
>>
>>Any data on the difficulty or time involved would be appreciated since I have to justify the final decision to
>>my $BOSS. I would be doing this on a Sun SPARC system running Solaris 10. I have access to both gcc and the
>>Sun Workshop compilers and would appreciate any insight on either or both.
>>
>>TIA
>>Paul
>>
>>Paul S. Hrolenok
>>Senior Consultant
>>ID Services Group
>>http://www.intelligent.net
>>Recognized on Washingtonian Magazine's 50 Great Places to Work list - 2009

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus