FIPS support for Kerberos

Simo Sorce simo at
Fri May 3 08:25:08 EDT 2019

As far as I know there is no version of Kerberos that is FIPS compliant
at this point. There are also problems with some aspects of the
protocol that would have to be approved as allowed by FIPS.

There is definitely commercial interest to get there, but that effort
is generally happening at each vendor individually.


On Fri, 2019-05-03 at 10:44 +0530, Abhidnya Joshi wrote:
> Hi All,
> Is there a FIPS compliant version of Kerberos library available?
> Even if I build it with fips comliant openssl crypto, it gives problem for
> low level functions calls like SHA256_init, AES_set_encrypt_key, etc.
> Openssl libcrypto aborts on call to such function when FIPS mode is on.
> There is also MD5 used via krb5_rc_hash_message() which aborts via openssl
> libcrypto.
> Any suggestion/comments on how to handle this? ANy configurable to control
> these options?
> Thanks
> Abhidnya Joshi
> _______________________________________________
> krbdev mailing list             krbdev at

Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc

More information about the krbdev mailing list