FIPS

1 post

libssh-0.9.0

We are proud to announce a new major release of the SSH library. Version 0.9.0 offers a lot of new features and bug fixes. We added support for AES-GCM encryption, Encrypt-then-MAC mode, elliptic-curve certificate support, FIPS 140-2 compatibility and many more.

We also added support for server side configuration parsing. This is mostly useful for defining ciphers, mac modes and hashes. We also improved the performance and reduced the copying of data for internal data structures.

When libssh is built against a recent version of OpenSSL we will use the new APIs for KEX, DH, KDF and signatures. This is especially required for FIPS compatibility.

With this release we also disabled blowfish support by default.

As we started to use Gitlab CI for testing with libssh 0.8.0 we extended our testsuite with server tests which also revealed some bugs. We’ve added csbuild to get more static code analysis to detect issues before we commit them to the upstream repository.

Thanks to all contributors who made this release possible!

If you are new to libssh you should read our tutorial how to get started.
Please join our mailing list or visit our irc channel if you have
questions.

You can download libssh-0.9.0 here.

ChangeLog

  • Added support for AES-GCM
  • Added improved rekeying support
  • Added performance improvements
  • Disabled blowfish support by default
  • Fixed several ssh config parsing issues
  • Added support for DH Group Exchange KEX
  • Added support for Encrypt-then-MAC mode
  • Added support for parsing server side configuration file
  • Added support for ECDSA/Ed25519 certificates
  • Added FIPS 140-2 compatibility
  • Improved known_hosts parsing
  • Improved documentation
  • Improved OpenSSL API usage for KEX, DH, KDF and signatures

Code Stats

Between version 0.8.0 and 0.9.0 the libssh did:

  • 910 commits
  • 265 files changed, 41328 insertions(+), 14319 deletions(-)