Subject: RE: FIPS Support

RE: FIPS Support

From: James Yerge <>
Date: Wed, 23 Mar 2011 07:46:07 -0400

That sounds excellent. Maybe when I get some spare cycles, I'll dig through
the source and determine what needs to be changed and potentially provide
some patches :)

Another method of detecting FIPS mode is checking for the environment
variable OPENSSL_FIPS.

-----Original Message-----
[] On Behalf Of Daniel Stenberg
Sent: Wednesday, March 23, 2011 4:13 AM
To: libssh2 development
Subject: RE: FIPS Support

On Tue, 22 Mar 2011, James Yerge wrote:

> Basically, detect if we're operating in FIPS mode and determine what
> functions cannot be called directly. For instance, RSA_public_decrypt()
> cannot be called directly when operating in FIPS mode, the EVP_Verify*
> functions have to be used instead. I would also assume that determination
> FIPS only algorithms would need to be used when operating in FIPS mode.
> The RSA_public_decrypt() is just an example.

I suggest we have the source code either completely unconditionally adapted
this API (if it is possible), or it gets conditionally used if the configure

script detects that the used OpenSSL library is "Fipsed".

Patches welcome!

Received on 2011-03-23