[ssh_x509] pkix-ssh release 8.5

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Aug 13 01:10:02 EEST 2015

Dear All,

The new version 8.4 just have been published with following updates:
- dump X.509 purpose
     Server(sshd) output properly AllowedCertPurpose in extended test 
mode(option -T).

- look up by LDAP errors and reasons
     Properly initialize offset of error codes and reasons in OpenSSL 
look up method X.509 'By LDAP'.

- ECDSA for OpenSSL 0.9.8+(compatibility)
     With implementation of custom EVP digest methods X.509 EC 
certificates could be used in OpenSSL 0.9.8 versions.

- EC keys from engine(experimental)
     OpenSSL engine support now could use EC keys from external devices.

- modifications from openssh 6.9.p1

This version adds support for EC keys from external devices based on 
OpenSSL engines. The implementation is only for testing purposes 
x509v3-ecdsa-sha2-* public key  algorithms are not fully compatible with 
format described in RFC 6187. Currently only certificate that match key 
is send instead certificate chain. PKIX-SSH server accept such keys but 
other implementations may reject them. This will be corrected in next 
PKIX-SSH is tested with e_nss  v0.5 - OpenSSL engine for Network 
Security Services (NSS). This engine allows use of keys and X.509 
certificates from "store(certificate manager)" used by Mozilla based 
browsers like Firefox, Seamonkey and etc.
It is expected to work with pkcs11 engine from OpenSC project but is not 
tested. I don't have security tokens with X.509 certificates.

Roumen Petrov

More information about the ssh_x509 mailing list