Comment 8 for bug 1951251
Revision history for this message
| Richard Maciel Costa (richardmaciel) wrote | #8 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
7020100
(Get the code!)
Here is the conclusion after some investigation:
Essentially, The openssh-fips is based on a openssh version newer than openssh. To the point where the former depends on openssl 1.1 and the latter on openssl 1.0;
That leads to the following situation: both openssh-server packages uses the /etc/ssh/moduli to get the P and G parameters for the Diffie-Hellman algorithm, but openssh-server-fips fetch them and uses libssl1.1 to check if the Diffie-Hellman group is valid. In many cases, the fetched G parameter from /etc/ssh/moduli is number 5, which isn't valid according to the criteria used by libssl1.1, so the libssl1.1 operation to get a group fails, then the openssh-server-fips operation fails as a consequence.
On the other hand, the archive openssh doesn't use libssl to check the P and G parameters, so no failures.
Unfortunately, this leads to a situation where a simple patch to bypass the check isn't possible.