Hi experts,
Current I am doing FIPS gap analysis for our product, can someone help to have a look my questions?
Our product is server running under CentOS 6.x, and according to the upstream (RedHat) document, CentOS can be configured to FIPS mode: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/htm...
And according to the CentOS forum, if we enabled FIPS mode on CentOS, then OpenSSL will also be in FIPS mode https://www.centos.org/forums/viewtopic.php?t=9078
Questions:
(1) Is that true for OpenSSL ?
(2) How about OpenSSH, since we are using SSH for administration, but there is not too much document mentioning OpenSSH Vs. FIPS. But looks like REDHAT already takes care of OpenSSH: https://www.redhat.com/en/about/press-releases/red-hat-completes-fips-1402-c... Can I assume that OpenSSH is in FIPS mode when CentOS is in FIPS mode ?
Regards, Ning Liu
On 10/22/2015 09:12 PM, Ning Liu (niliu2) wrote:
(1) Is that true for OpenSSL ?
http://stackoverflow.com/questions/18616573/how-to-check-fips-140-2-support-...
But, having said that, you should note that FIPS is a certification that applies to specific products. You can enable "FIPS mode" but no CentOS systems are FIPS certified. If you require certification, you must use a Red Hat product.
(2) How about OpenSSH, since we are using SSH for administration, but there is not too much document mentioning OpenSSH Vs. FIPS.
Look at the document you linked to, again. It describes specifics with regard to OpenSSH. Verify that sshd is configured according to the documentation, and follow the advice when generating host and user keys.
-
Gordon Messmer -
Ning Liu (niliu2)