On Wed, Aug 18, 2010, Kriloff wrote: > Is there a reason why RSA_sign() blocks anything that isn't a TLS > signature in FIPS mode? > OpenSSH ssh_rsa_sign() function calls RSA_sign() with nid=NID_sha1 for > key signing, but given the code in OpenSSL RSA_sign() it fails with > "operation not allowed in fips mode" error. > Is this something that could be fixed in OpenSSH by calling different APIs?
This was based on advice from the testing labs during validation. By using the EVP APIs instead of RSA_sign() directly this can be fixed. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
