From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 52523 invoked by alias); 25 Jun 2019 03:06:46 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 52514 invoked by uid 89); 25 Jun 2019 03:06:46 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=0.3 required=5.0 tests=AWL,BAYES_00,KAM_NUMSUBJECT,RCVD_IN_DNSWL_LOW,SPAM_BODY autolearn=no version=3.3.1 spammy=certified, certification, legally, sector X-HELO: smtp-out-so.shaw.ca Received: from smtp-out-so.shaw.ca (HELO smtp-out-so.shaw.ca) (64.59.136.139) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 25 Jun 2019 03:06:45 +0000 Received: from [192.168.1.114] ([24.64.172.44]) by shaw.ca with ESMTP id fbn8hsoNoGusjfbn9hcwY0; Mon, 24 Jun 2019 21:06:43 -0600 Reply-To: Brian.Inglis@SystematicSw.ab.ca Subject: Re: OpenSSH FIPS 140-2 To: cygwin@cygwin.com References: From: Brian Inglis Openpgp: preference=signencrypt Message-ID: <3823ab71-6770-278d-b604-688bfcf98315@SystematicSw.ab.ca> Date: Tue, 25 Jun 2019 03:06:00 -0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2019-06/txt/msg00212.txt.bz2 On 2019-06-24 12:50, Pinzone, Gerard wrote: > I've been able to build OpenSSL 1.0.2 with FIPS support on Cygwin 32-bit and > native Windows using Visual Studio. The 64-bit edition of Cygwin doesn't > build the FIPS module correctly. There is a workaround, but that workaround > invalidates the FIPS build requirements, thus the resulting binary will not > be approved without a private certification that costs lots of $$$. I'd like > to get OpenSSH to work with the OpenSSL I've built under 32-bit Cygwin, but > that might require a custom build of OpenSSH. The latest Cygwin uses the > newer 1.1.1 branch of OpenSSL, so I don't know if that will cause any > compatibility problems. > Having a FIPS 140-2 OpenSSH on a Windows OS is important for those in the > financial and government sector. Microsoft's port of OpenSSH uses LibreSSL > (I think) and cannot be FIPS certified. It looks like Cygwin is our only > hope. I believe the implementation has to be validated and certified by NIST, so if that is required, you will have to use an implementation with NIST certification, listed at: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search Enter either OpenSSH or OpenSSL in the Module Name box to search. Check each certification for details of the hardware and software required to be used to be compliant. Please also remember the advice to only use FIPS modules where legally required, and never enable anything which is historical, inactive, or has been revoked, as it has been broken. For good security use currently recommended non-FIPS algorithms, ciphers, and modes. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple