Debian considers switching curl to use libssh instead of libssh2
Andreas Schneider
asn at cryptomilk.org
Sun Jan 2 19:35:53 CET 2022
On Friday, 31 December 2021 14:54:49 CET Daniel Stenberg wrote:
> On Fri, 31 Dec 2021, Andreas Schneider wrote:
> > * Use only crypto from a FIPS certified library (e.g. OpenSSL).
> >
> > libssh2 doesn't do that yet.
>
> When libssh2 uses OpenSSL for crypto, what else does libssh2 use for crypto
> then that makes it not adhere?
You need to use *all* security relevant functionality from a fips certified
security module or you're not FIPS compliant.
Example: https://www.openssl.org/docs/manmaster/man3/DH_get0_p.html
> > * Zero sensitive data before freeing it
>
> I don't think that's a FIPS requirement?
I was just trying to help. Better read it yourself
https://csrc.nist.gov/publications/fips
Best regards
Andreas
More information about the libssh2-devel
mailing list