X-Recipient: archive-cygwin@delorie.com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:date:message-id:mime-version
	:content-type:content-transfer-encoding; q=dns; s=default; b=K5U
	/giX80vLUVtTkHhTemEihG7pvOGU91U9KfgsnAhc5VsJjX6b/h27QGtCGnkKaB+V
	X9Uq11fRr06ZnI3wV3vdMgaabvDx+W46EqbplTj8TNHeGTaCJ86p6nKOCtIwjn6k
	p3FbYPo7TLaE5aStPGbpSPK7MGdPV0lM1T6qB4fQ=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:date:message-id:mime-version
	:content-type:content-transfer-encoding; s=default; bh=KuHUXP8x+
	TwOnuo0iFckqClF1AE=; b=xgVZiw77mHlnXBPtSn/aaCphl+2GH9cSwdrnblxSR
	pTTCYRGV98Py2j8NEvVgo9G/R1/Q0V6OvEVo9a9DgBexZtjMGHZOAwKeJpMkvb7a
	mzrSOMSIVZTJSVZiyOqF+DA7n9CD6Po6BEKNLZ/6DN36oR4RqZe/Dc9bYCB3oTwF
	qw=
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Delivered-To: mailing list cygwin@cygwin.com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=1.3 required=5.0 tests=BAYES_50,HTML_MESSAGE,KAM_NUMSUBJECT autolearn=no version=3.3.1 spammy=certified, certification, sector, approved
X-HELO: mail.aacisd.com
From: "Pinzone, Gerard" <GPinzone@aaccorp.com>
To: "cygwin@cygwin.com" <cygwin@cygwin.com>
Subject: OpenSSH FIPS 140-2
Date: Mon, 24 Jun 2019 18:50:37 +0000
Message-ID: <e5f252b902f04393b6d581eb28e655fe@aaccorp.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id x5OIpHCl026945

I've been able to build OpenSSL 1.0.2 with FIPS support on Cygwin 32-bit and native Windows using Visual Studio. The 64-bit edition of Cygwin doesn't build the FIPS module correctly. There is a workaround, but that workaround invalidates the FIPS build requirements, thus the resulting binary will not be approved without a private certification that costs lots of $$$. I'd like to get OpenSSH to work with the OpenSSL I've built under 32-bit Cygwin, but that might require a custom build of OpenSSH. The latest Cygwin uses the newer 1.1.1 branch of OpenSSL, so I don't know if that will cause any compatibility problems.

Having a FIPS 140-2 OpenSSH on a Windows OS is important for those in the financial and government sector. Microsoft's port of OpenSSH uses LibreSSL (I think) and cannot be FIPS certified. It looks like Cygwin is our only hope.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple