Debian considers switching curl to use libssh instead of libssh2

Andreas Schneider asn at
Fri Dec 31 13:16:22 CET 2021

On Friday, December 31, 2021 12:27:26 PM CET Daniel Stenberg wrote:
> > c) FIPS readiness
> How is libssh more ready for FIPS than libssh2?

The easiest way is to pay a company which does FIPS certification to check the 
source code for you and produce a list of things which need to be addressed in 
order to be FIPS ready.

>From the checklist for FIPS just out my head:

* Use only crypto from a FIPS certified library (e.g. OpenSSL).
  libssh2 doesn't do that yet.
* Zero sensitive data before freeing it
* Test that it actually works in FIPS mode



Andreas Schneider                 asn at
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the libssh2-devel mailing list