https://bugzilla.mindrot.org/show_bug.cgi?id=3603
--- Comment #12 from Damien Miller <d...@mindrot.org> --- Created attachment 3720 --> https://bugzilla.mindrot.org/attachment.cgi?id=3720&action=edit runtime probing of ciphers > You can try this in your setup as well, enable openssl fips in server, use > latest openssh server and try connecting from a client with no ciphers > mentioned. ok, you're putting OpenSSL in FIPS mode and not patching OpenSSH. You've then created a situation where the OpenSSL you're using is behaving differently to the OpenSSL that OpenSSH was compiled with, and currently OpenSSH is not in a position to detect this. Changing this basically requires that OpenSSH do runtime probing of all cryptography to see whether something has changed underneath it. This patch is an example of how we might approach this. Maybe it helps your case? It certainly isn't complete - we'd need to do effectively the same thing for MACs, public key algorithms and key agreement algorithms too since I bet some of those could be disabled by OpenSSL's FIPS support too. The patch could probably be simplified if there's a simpler way to query whether OpenSSL supports a particular algorithm. In the meantime, if you're changing your crypto library to disable particular algorithms, then you need to *manually* change your ssh_config and sshd_config to match. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs