diff --git a/SOURCES/0001-ssh-Use-SHA256-fingerprints-when-available.patch b/SOURCES/0001-ssh-Use-SHA256-fingerprints-when-available.patch
new file mode 100644
index 0000000..11663ae
--- /dev/null
+++ b/SOURCES/0001-ssh-Use-SHA256-fingerprints-when-available.patch
@@ -0,0 +1,125 @@
+From 50873a820f9d9c655b93e8ff2d4158aff29761ff Mon Sep 17 00:00:00 2001
+From: Martin Pitt <martin@piware.de>
+Date: Mon, 8 Oct 2018 15:19:02 +0200
+Subject: [PATCH 1/2] ssh: Use SHA256 fingerprints when available
+
+libssh 0.8 offers SHA256 fingerprints in addition to the old MD5/SHA1
+ones. The latter are both cryptographically broken, and not allowed when
+running in FIPS mode -- these cause an assertion crash in OpenSSL.
+
+The "ssh" CLI hasn't shown MD5 fingerprints in a long time, not even on
+RHEL 7 (it shows SHA1 and SHA256 there by default), so this actually
+improves compatibility with ssh.
+
+Use libssh 0.8's ssh_get_fingerprint_hash() function, as ssh itself
+shows SHA256 fingerprints  in base64 instead of hex. cockpit-ssh's
+fingerprint prompts should be compatible, and hex fingerprints would be
+overly long.
+
+Adjust most check-multi-machine tests to not care about the particular
+type of fingerprint, as they don't check the actual fingerprint anyway.
+Only `TestMultiMachine.testDirectLogin` does, so adjust the test to
+accept both MD5 and SHA256 fingerprints.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1585191
+
+Closes #10241
+---
+ configure.ac              |  2 ++
+ src/ssh/cockpitsshrelay.c | 17 +++++++++++++++--
+ src/ssh/test-sshbridge.c  |  8 +++++++-
+ 3 files changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index af8b1e3..b0d4879 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -132,6 +132,8 @@ if test "$enable_ssh" != "no"; then
+     AC_DEFINE_UNQUOTED(HAVE_SSH_GET_SERVER_PUBLICKEY, 1, Whether ssh_get_server_publickey is available)
+   ])
+ 
++  AC_CHECK_DECLS([SSH_PUBLICKEY_HASH_SHA256, ssh_get_fingerprint_hash], [], [], [[#include <libssh/libssh.h>]])
++
+   COCKPIT_SSH_SESSION_CFLAGS="$COCKPIT_CFLAGS $LIBSSH_CFLAGS $KRB5_CFLAGS"
+   COCKPIT_SSH_SESSION_LIBS="$COCKPIT_LIBS $LIBSSH_LIBS $KRB5_LIBS"
+   AC_SUBST(COCKPIT_SSH_SESSION_LIBS)
+diff --git a/src/ssh/cockpitsshrelay.c b/src/ssh/cockpitsshrelay.c
+index 41286c3..1798345 100644
+--- a/src/ssh/cockpitsshrelay.c
++++ b/src/ssh/cockpitsshrelay.c
+@@ -52,6 +52,15 @@
+ #include <fcntl.h>
+ #include <time.h>
+ 
++/* libssh 0.8 offers SHA256 fingerprints, use them if available */
++#if HAVE_DECL_SSH_PUBLICKEY_HASH_SHA256
++#define SSH_PUBLICKEY_HASH SSH_PUBLICKEY_HASH_SHA256
++#define SSH_PUBLICKEY_HASH_NAME "SHA256"
++#else
++#define SSH_PUBLICKEY_HASH SSH_PUBLICKEY_HASH_MD5
++#define SSH_PUBLICKEY_HASH_NAME "MD5"
++#endif
++
+ /* we had a private one before moving to /etc/ssh/ssh_known_hosts */
+ #define LEGACY_KNOWN_HOSTS PACKAGE_LOCALSTATE_DIR "/known_hosts"
+ 
+@@ -505,7 +514,7 @@ prompt_for_host_key (CockpitSshData *data)
+ 
+   message = g_strdup_printf ("The authenticity of host '%s:%d' can't be established. Do you want to proceed this time?",
+                              host, port);
+-  prompt = g_strdup_printf ("MD5 Fingerprint (%s):", data->host_key_type);
++  prompt = g_strdup_printf (SSH_PUBLICKEY_HASH_NAME " Fingerprint (%s):", data->host_key_type);
+ 
+   reply = prompt_with_authorize (data, prompt, message, data->host_fingerprint, data->host_key, TRUE);
+ 
+@@ -674,7 +683,7 @@ verify_knownhost (CockpitSshData *data,
+       goto done;
+     }
+ 
+-  if (ssh_get_publickey_hash (key, SSH_PUBLICKEY_HASH_MD5, &hash, &len) < 0)
++  if (ssh_get_publickey_hash (key, SSH_PUBLICKEY_HASH, &hash, &len) < 0)
+     {
+       g_warning ("Couldn't hash ssh public key");
+       ret = "internal-error";
+@@ -682,7 +691,11 @@ verify_knownhost (CockpitSshData *data,
+     }
+   else
+     {
++#if HAVE_DECL_SSH_GET_FINGERPRINT_HASH
++      data->host_fingerprint = ssh_get_fingerprint_hash (SSH_PUBLICKEY_HASH, hash, len);
++#else
+       data->host_fingerprint = ssh_get_hexa (hash, len);
++#endif
+       ssh_clean_pubkey_hash (&hash);
+     }
+ 
+diff --git a/src/ssh/test-sshbridge.c b/src/ssh/test-sshbridge.c
+index e86f639..bc5bc3a 100644
+--- a/src/ssh/test-sshbridge.c
++++ b/src/ssh/test-sshbridge.c
+@@ -563,7 +563,13 @@ test_echo_large (TestCase *tc,
+ 
+ static const gchar MOCK_RSA_KEY[] = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCYzo07OA0H6f7orVun9nIVjGYrkf8AuPDScqWGzlKpAqSipoQ9oY/mwONwIOu4uhKh7FTQCq5p+NaOJ6+Q4z++xBzSOLFseKX+zyLxgNG28jnF06WSmrMsSfvPdNuZKt9rZcQFKn9fRNa8oixa+RsqEEVEvTYhGtRf7w2wsV49xIoIza/bln1ABX1YLaCByZow+dK3ZlHn/UU0r4ewpAIZhve4vCvAsMe5+6KJH8ft/OKXXQY06h6jCythLV4h18gY/sYosOa+/4XgpmBiE7fDeFRKVjP3mvkxMpxce+ckOFae2+aJu51h513S9kxY2PmKaV/JU9HBYO+yO4j+j24v";
+ 
++#if HAVE_DECL_SSH_PUBLICKEY_HASH_SHA256
++static const gchar MOCK_RSA_FP[] = "SHA256:XQ8a7zGxMFstDrGecBRUP9OMnOUXd/T3vkNGtYShs2w";
++#define SSH_PUBLICKEY_HASH_NAME "SHA256"
++#else
+ static const gchar MOCK_RSA_FP[] = "0e:6a:c8:b1:07:72:e2:04:95:9f:0e:b3:56:af:48:e2";
++#define SSH_PUBLICKEY_HASH_NAME "MD5"
++#endif
+ 
+ 
+ static void
+@@ -634,7 +640,7 @@ do_hostkey_conversation (TestCase *tc,
+                                  (int)tc->ssh_port, MOCK_RSA_FP,
+                                  (int)tc->ssh_port, MOCK_RSA_KEY);
+ 
+-  do_auth_conversation (tc->transport, "MD5 Fingerprint (ssh-rsa):",
++  do_auth_conversation (tc->transport, SSH_PUBLICKEY_HASH_NAME " Fingerprint (ssh-rsa):",
+                         expect_json, response, add_header);
+   g_free (expect_json);
+ }
+-- 
+2.19.1
+
diff --git a/SOURCES/9999-Build-system-generated-changes-from-patches.patch b/SOURCES/9999-Build-system-generated-changes-from-patches.patch
new file mode 100644
index 0000000..ec45230
--- /dev/null
+++ b/SOURCES/9999-Build-system-generated-changes-from-patches.patch
@@ -0,0 +1,97 @@
+From f2df0777226cf446d682812f464f68e91cbd25b4 Mon Sep 17 00:00:00 2001
+From: Martin Pitt <martin@piware.de>
+Date: Sun, 28 Oct 2018 13:55:38 +0100
+Subject: [PATCH 2/2] Build system generated changes from patches
+
+---
+ configure | 90 ++++++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 80 insertions(+), 10 deletions(-)
+
+diff --git a/configure b/configure
+index 841293e..665e89c 100755
+--- a/configure
++++ b/configure
+@@ -1939,6 +1939,52 @@ fi
+ 
+ } # ac_fn_c_try_link
+ 
++# ac_fn_c_check_decl LINENO SYMBOL VAR INCLUDES
++# ---------------------------------------------
++# Tests whether SYMBOL is declared in INCLUDES, setting cache variable VAR
++# accordingly.
++ac_fn_c_check_decl ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  as_decl_name=`echo $2|sed 's/ *(.*//'`
++  as_decl_use=`echo $2|sed -e 's/(/((/' -e 's/)/) 0&/' -e 's/,/) 0& (/g'`
++  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $as_decl_name is declared" >&5
++$as_echo_n "checking whether $as_decl_name is declared... " >&6; }
++if eval \${$3+:} false; then :
++  $as_echo_n "(cached) " >&6
++else
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++$4
++int
++main ()
++{
++#ifndef $as_decl_name
++#ifdef __cplusplus
++  (void) $as_decl_use;
++#else
++  (void) $as_decl_name;
++#endif
++#endif
++
++  ;
++  return 0;
++}
++_ACEOF
++if ac_fn_c_try_compile "$LINENO"; then :
++  eval "$3=yes"
++else
++  eval "$3=no"
++fi
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++eval ac_res=\$$3
++	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
++$as_echo "$ac_res" >&6; }
++  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
++
++} # ac_fn_c_check_decl
++
+ # ac_fn_c_check_func LINENO FUNC VAR
+ # ----------------------------------
+ # Tests whether FUNC exists, setting the cache variable VAR accordingly
+@@ -6891,6 +6937,30 @@ _ACEOF
+ fi
+ 
+ 
++  ac_fn_c_check_decl "$LINENO" "SSH_PUBLICKEY_HASH_SHA256" "ac_cv_have_decl_SSH_PUBLICKEY_HASH_SHA256" "#include <libssh/libssh.h>
++"
++if test "x$ac_cv_have_decl_SSH_PUBLICKEY_HASH_SHA256" = xyes; then :
++  ac_have_decl=1
++else
++  ac_have_decl=0
++fi
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_DECL_SSH_PUBLICKEY_HASH_SHA256 $ac_have_decl
++_ACEOF
++ac_fn_c_check_decl "$LINENO" "ssh_get_fingerprint_hash" "ac_cv_have_decl_ssh_get_fingerprint_hash" "#include <libssh/libssh.h>
++"
++if test "x$ac_cv_have_decl_ssh_get_fingerprint_hash" = xyes; then :
++  ac_have_decl=1
++else
++  ac_have_decl=0
++fi
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_DECL_SSH_GET_FINGERPRINT_HASH $ac_have_decl
++_ACEOF
++
++
+   COCKPIT_SSH_SESSION_CFLAGS="$COCKPIT_CFLAGS $LIBSSH_CFLAGS $KRB5_CFLAGS"
+   COCKPIT_SSH_SESSION_LIBS="$COCKPIT_LIBS $LIBSSH_LIBS $KRB5_LIBS"
+ 
diff --git a/SPECS/cockpit.spec b/SPECS/cockpit.spec
index 1ae0660..d26440a 100644
--- a/SPECS/cockpit.spec
+++ b/SPECS/cockpit.spec
@@ -45,7 +45,7 @@
 %endif
 
 
-%define libssh_version 0.7.1
+%define libssh_version 0.7.1-7
 %if 0%{?fedora} > 0 && 0%{?fedora} < 22
 %define libssh_version 0.6.0
 %endif
@@ -68,13 +68,16 @@ URL:            https://cockpit-project.org/
 
 Version:        176
 %if %{defined wip}
-Release:        2.%{wip}%{?dist}
+Release:        1.%{wip}%{?dist}
 Source0:        cockpit-%{version}.tar.gz
 %else
-Release:        3%{?dist}
+Release:        4%{?dist}
 Source0:        https://github.com/cockpit-project/cockpit/releases/download/%{version}/cockpit-%{version}.tar.xz
 %endif
 
+Patch1:        0001-ssh-Use-SHA256-fingerprints-when-available.patch
+Patch9999:     9999-Build-system-generated-changes-from-patches.patch
+
 BuildRequires: gcc
 BuildRequires: pkgconfig(gio-unix-2.0)
 BuildRequires: pkgconfig(json-glib-1.0)
@@ -148,7 +151,7 @@ if [ -n "%{patches}" ]; then
     git config core.autocrlf false && git config core.safecrlf false && git config gc.auto 0
     git add -f . && git commit -a -q -m "Base" && git tag -a initial --message="initial"
     git am --whitespace=nowarn %{patches}
-    touch -r $(git diff --name-only initial..HEAD) .git Makefile.in
+    touch -r $(git diff --name-only initial..HEAD) .git Makefile.in aclocal.m4
     rm -rf .git
 fi
 
@@ -789,6 +792,10 @@ The Cockpit component for installing package updates, via PackageKit.
 %endif # build optional extension packages
 
 %changelog
+* Mon Oct 29 2018 Martin Pitt <mpitt@redhat.com> 176-4
+- Switch to ssh SHA256 fingerprints, to fix crash in FIPS mode
+  rhbz#1585191
+
 * Thu Aug 30 2018 Martin Pitt <mpitt@redhat.com> 176-3
 - Storage: Offer installation of VDO on demand
 - Machines: Add disks to a virtual machine