[ssh_x509] ssh_x509 Digest, Vol 9, Issue 3

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Jan 17 15:49:41 EET 2013


In my previous email, just a typo, it's '<0' and not '<1' in
'ssh_add_x509key_alg(arg) < 1' .


Though I have a workaround for this which is to comment the config line
which says about rsa-md5. I would like to know about any other solution and
what will be the pros and cons for commenting that line which says:

X509KeyAlgorithm x509v3-sign-rsa,rsa-md5

Thanks,
Anand

On Thu, Jan 17, 2013 at 3:30 PM, <ssh_x509-request at roumenpetrov.info> wrote:

> Send ssh_x509 mailing list submissions to
>         ssh_x509 at roumenpetrov.info
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
> or, via email, send a message with subject or body 'help' to
>         ssh_x509-request at roumenpetrov.info
>
> You can reach the person managing the list at
>         ssh_x509-owner at roumenpetrov.info
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of ssh_x509 digest..."
>
>
> Today's Topics:
>
>    1. Query regarding X.509 code patch returning error in fips
>       mode. (ssh_x509 at roumenpetrov.info)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 17 Jan 2013 11:01:02 +0530
> From: ssh_x509 at roumenpetrov.info
> To: ssh_x509 at roumenpetrov.info
> Subject: [ssh_x509] Query regarding X.509 code patch returning error
>         in fips mode.
> Message-ID:
>         <
> mailman.217.1358400667.587791.ssh_x509_roumenpetrov.info at roumenpetrov.info
> >
>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi List members,
>
>  I have a very specific query regarding the patch for X.509 over OpenSSH
> 5.9. I had applied 7.1 version of the patch. When I enabled FIPS mode and
> reloaded and tried to ssh to the box, I get disconnection with one fatal
> and one error messages on log. The file 'ssh-xkalg.c' has a section for
> '#ifdef OPENSSL_FIPS'  in the function 'ssh_add_x509key_alg' and in the
> check there, based on FIPS_mode(), it is printing the error
> "ssh_add_x509pubkey_alg: rsa-md5 in not enabled in FIPS mode".
>
> Now, this function is called from two files readconf.c and servconf.c.
> There, a fatal message is printed "Bad X.509 key algorithm". This is
> because if the fips mode is enabled the previous function has a goto jump
> to 'err' which returns -1 and hence it enters in the check for
> 'ssh_add_x509key_alg(arg) < 1' . By this, end result is, ssh is not
> possible.
>
> The check for OPENSSL_FIPS is not there in the patch 7.0 for X.509. So my
> question is whether anyone faced a situation like this (if yes, a solution
> will be of great help) or whether there is any patch available for this. If
> there is any mistake in my set up what could be it ? I tried to search on
> forums/internet for similar problem, but couldn't get anyone who faced
> similar error.
>
> It will be a great help to me if you could help or give some pointers.
>
>
> Regards,
> Anand
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>
>
> ------------------------------
>
> End of ssh_x509 Digest, Vol 9, Issue 3
> **************************************
>



More information about the ssh_x509 mailing list