[GitHub] [guacamole-server] jmuehlner commented on pull request #391: GUACAMOLE-1669: Prefer FIPS compliant ciphers and algorithms when FIPS mode is enabled.

[GitBox <gi...@apache.org>]

jmuehlner commented on PR #391:
URL: https://github.com/apache/guacamole-server/pull/391#issuecomment-1225235336

   Yeah, I kinda feel like it's probably not worth it. In the general case, we don't really want to be telling libssh2 what it should be using at all - it's job is to negotiate a set of algorithms and ciphers that both server and client can use. Unfortunately it doesn't seem to work in the case of FIPS.
   
   Luckily for FIPS, there's a pretty small set of options that are both FIPS-compliant, AND libssh2-supported. I just listed those from biggest key to smallest. I guess you could imagine somebody wanting to prefer smaller key sizes for performance reasons, but I'd guess that nobody would ever use such an option ¯\_(ツ)_/¯
   
   > Cool, looks okay to me as long as it tests okay. My only other question would be if it's worth making it configurable or not? I'm guessing not - since i'ts just setting an order of preferred cipher and key algorithms, I would guess if it supports it you want it. Just throwing it out, though.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@guacamole.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org