[ssh_x509] Query regarding X.509 code patch returning error in fips mode.

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Jan 17 07:31:02 EET 2013


Hi List members,

 I have a very specific query regarding the patch for X.509 over OpenSSH
5.9. I had applied 7.1 version of the patch. When I enabled FIPS mode and
reloaded and tried to ssh to the box, I get disconnection with one fatal
and one error messages on log. The file 'ssh-xkalg.c' has a section for
'#ifdef OPENSSL_FIPS'  in the function 'ssh_add_x509key_alg' and in the
check there, based on FIPS_mode(), it is printing the error
"ssh_add_x509pubkey_alg: rsa-md5 in not enabled in FIPS mode".

Now, this function is called from two files readconf.c and servconf.c.
There, a fatal message is printed "Bad X.509 key algorithm". This is
because if the fips mode is enabled the previous function has a goto jump
to 'err' which returns -1 and hence it enters in the check for
'ssh_add_x509key_alg(arg) < 1' . By this, end result is, ssh is not
possible.

The check for OPENSSL_FIPS is not there in the patch 7.0 for X.509. So my
question is whether anyone faced a situation like this (if yes, a solution
will be of great help) or whether there is any patch available for this. If
there is any mistake in my set up what could be it ? I tried to search on
forums/internet for similar problem, but couldn't get anyone who faced
similar error.

It will be a great help to me if you could help or give some pointers.


Regards,
Anand



More information about the ssh_x509 mailing list