[ssh_x509] information for OCSP enabled installations

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Feb 6 00:35:19 EET 2013

HI Anand,

> Hi List members,
>   I have a very specific query regarding the patch for X.509 over OpenSSH
> 5.9. I had applied 7.1 version of the patch. When I enabled FIPS mode and
> reloaded and tried to ssh to the box, I get disconnection with one fatal
> and one error messages on log. The file 'ssh-xkalg.c' has a section for
> '#ifdef OPENSSL_FIPS'  in the function 'ssh_add_x509key_alg' and in the
> check there, based on FIPS_mode(), it is printing the error
> "ssh_add_x509pubkey_alg: rsa-md5 in not enabled in FIPS mode".
I would like to confirm that md5 is not allowed in FIPS mode.
It is still supported for historical reason (non-FIPS mode).

> Now, this function is called from two files readconf.c and servconf.c.
> There, a fatal message is printed "Bad X.509 key algorithm". This is
> because if the fips mode is enabled the previous function has a goto jump
> to 'err' which returns -1 and hence it enters in the check for
> 'ssh_add_x509key_alg(arg) < 1' . By this, end result is, ssh is not
> possible.
> The check for OPENSSL_FIPS is not there in the patch 7.0 for X.509. So my
> question is whether anyone faced a situation like this (if yes, a solution
> will be of great help) or whether there is any patch available for this. If
> there is any mistake in my set up what could be it ? I tried to search on
> forums/internet for similar problem, but couldn't get anyone who faced
> similar error.
> It will be a great help to me if you could help or give some pointers.
I guess that you configuration explicitly define X509KeyAlgorithm.
If this is client configuration I would like to recommend do not 
override X509KeyAlgorithm if server is based on OpenSSH with X.509 
certificate support.
Override this only for servers from certain vendors but in this case you 
cannot use fips mode.

Let me know If this is on server side let me know.

Also version 7.1 change defaults and sha1 is preferred. This change will 
not impact OpenSSH based client/servers.

> Regards,
> Anand


Get X.509 certificates support in OpenSSH:

More information about the ssh_x509 mailing list