[ssh_x509] pkix-ssh release 8.1

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Sep 29 23:49:05 EEST 2014

Hello All,

I would like to announce availability of PKIX-SSH release 8.1. This 
version correct and enhance support of crypto library in FIPS mode.

Main updates:
- remove EVP_dss1raw as does not work with OpenSSL 1.0.2 in FIPS mode
     OpenSSL 1.0.2 does not export any more FIPS EVP structures. This 
impact custom implemenation of EVP_dss1 with signature encoding 
according SSH norms. In version 8.1 EVP_MD struture dss1raw is replaced 
with wraper for OpenSSL methods EVP_SignFinal and EVP_VerifyFinal that 
recode signature according SSH norms.

- support fipscheck library
     Red Hat-and Red Hat based distribution like CentOS use own FIPS 
validated OpenSSL implementation and own process for verification if 
FIPS mode based of fipscheck library.

- restore arc4random in FIPS mode
     Unfortunately replacement of of RC4 based arc4random* functions in 
version 7.8 based on OpenSSH 6.5p1 does not follow previous rules. 
Regression is corrected in this version 8.1 based on OpenSSH 6.5p1.

- ssh-keysign avoid dependency from "X.509 store" objects
     Now dependencies of ssh-keysign to external libraries are minimized.

- search know host file by key subtype
     Search for host keys in know host file is enhanced to take into 
account curve used for EC keys.

Roumen Petrov

More information about the ssh_x509 mailing list