DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:date:message-id:mime-version
	:content-type:content-transfer-encoding; q=dns; s=default; b=K5U
	/giX80vLUVtTkHhTemEihG7pvOGU91U9KfgsnAhc5VsJjX6b/h27QGtCGnkKaB+V
	X9Uq11fRr06ZnI3wV3vdMgaabvDx+W46EqbplTj8TNHeGTaCJ86p6nKOCtIwjn6k
	p3FbYPo7TLaE5aStPGbpSPK7MGdPV0lM1T6qB4fQ=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
From: "Pinzone, Gerard" <GPinzone AT aaccorp DOT com>
To: "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
Subject: OpenSSH FIPS 140-2
Date: Mon, 24 Jun 2019 18:50:37 +0000
Message-ID: <e5f252b902f04393b6d581eb28e655fe@aaccorp.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit

I've been able to build OpenSSL 1.0.2 with FIPS support on Cygwin 32-bit and native Windows using Visual Studio. The 64-bit edition of Cygwin doesn't build the FIPS module correctly. There is a workaround, but that workaround invalidates the FIPS build requirements, thus the resulting binary will not be approved without a private certification that costs lots of $$$. I'd like to get OpenSSH to work with the OpenSSL I've built under 32-bit Cygwin, but that might require a custom build of OpenSSH. The latest Cygwin uses the newer 1.1.1 branch of OpenSSL, so I don't know if that will cause any compatibility problems.

Having a FIPS 140-2 OpenSSH on a Windows OS is important for those in the financial and government sector. Microsoft's port of OpenSSH uses LibreSSL (I think) and cannot be FIPS certified. It looks like Cygwin is our only hope.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple