You would probably need a FIPS_mode_set(1) somewhere after the openssl library initialization, and it would be a good thing to never keep any keys in the clear. As well, it would need to statically link to openssl 0.9.7m built with the fipscanister module. (If it uses features specific to openssl 0.9.8, you cannot create a FIPS-validated version at this time.)
This is not an openssh support list, and I have not looked at the openssh sources to see what else would need to be changed. You must ALWAYS follow the FIPS security policy when dealing with anything FIPS. If the security policy says that some constraint must be met, that constraint must be met -- no matter how it impacts the function or even possibility of doing what you want. -Kyle H 2008/10/9 joshi chandran <[EMAIL PROTECTED]>: > Hi All, > > I am trying to make openssh compatible with the fips enabled openssl . can > anybody tell me what all changes i have make in openssh > > Please help > > Thanks > > Joshi > > > > > > problem was solved by updating openssl to the latest release 0.9.8i > (the one I used was 0.9.8a.) But I still don't know the root cause of > that aborting. Anyway, it works now. > > Thanks, > Elven > >> Date: Wed, 8 Oct 2008 01:21:08 -0700 >> Subject: Re: how to enable debug mode of openssl >> From: [EMAIL PROTECTED] >> To: [EMAIL PROTECTED] >> >> Hi Elven, >> >> I suggest try using ERR_print_errors (http://openssl.org/docs/crypto/ >> ERR_print_errors.html#) to get an idea of what error you are getting. >> You can call it right after your call to PEM_read_bio_X509. It is most >> likely to be a problem with the certificate data that you are feeding >> to OpenSSL. Have you tried verifying that the data is valid? >> >> --- Kah >> >> On Oct 8, 2:46 pm, [EMAIL PROTECTED] (曹飞) wrote: >> > I am using openssl in arm embedded platform. I want to support https, so >> > it will use openssl. But I have encouterd some problem. The application >> > aborted for some unknown reason. I tried to trace the problem and found the >> > it aborted on call "PEM_read_bio_X509" (ssl_rsa.c). And I can't t race deep >> > more. >> >> > > >> > > So is there any way to enable debug mode of openssl so that I can >> > > trace more deeply to find out the problem? >> > > >> > > Thanks. >> > > Elven >> > > _________________________________________________________________ >> > > 一点即聊,MSN推出新功能"点我!"http://im.live.cn/click/ >> > >> >> >> ________________________________ >> MSN上小游戏,工作休闲两不误! 马上就开始玩! > > > -- > Regards > Joshi Chandran >
