[ssh_x509] x509 tests fail on Mac OSX (pkixssh8.6)

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sun Dec 6 11:14:05 EET 2015

Hello ,
ssh_x509 at roumenpetrov.info wrote:
> Hello,
> I was testing pkixssh8.6 on Mac OSX (on 10.10/Yosemite and 10.11/El
> Capitan), and noticed that the X509 specific tests fail on both.
I would like to know is specific test fail or if tests for a public key 
algorithm fail.
> On 10.10, it fails when using the system OpenSSL implementation, but
> works with LibreSSL 2.2.4 (manually compiled/installed into /opt)
I would like to know OpenSSL version (Internet query show versions from 
1.0.1 branch ).

Some vendors distribute version like 1.0.2 before final(official) release.
Issue is that some 1.0.2 beta version has a defect in certificate 
Issue is related to self signed certificates.
openssl verify ./ca-test/crt/catest-root0.crt.pem show return only 
"error 18 ..."

> On 10.11, the system SSL implementation is unusable (./configure fails
> the openssl header check). It seems that Apple has replaced OpenSSL
Try with   --without-openssl-header-check "Disable OpenSSL version 
consistency check"

Usually apple distribute as patch only upgraded library. Within patch 
version is incremented, but patch(hotfix, service pack, etc. ) does not 
include updated headers.

> with LibreSSL, but not in a way that's usable for ssh (presumably
> fPIC/fPIE related). If I compile LibreSSL 2.2.4 and use that, it will
> build, but the tests fail as they do on 10.10).

> I've attached output for both configurations. Please let me know if
> there's more information needed to fix this bug (I'm available to test
> patches).
List strip most of attachments.
For instance it accept content types as text/plain and text/x-diff.

I'm not sure that configuration result will help to find why X.509 tests 
Lets see results with openssl, i.e. in <BUILDDIR>/tests/CA run verify.sh 
located in <SOURCEDIR>/tests/CA/verify.sh

OpenSSL depends from compilers.In some cases build build without 
compiler optimizations or assembler may help.

OpenSSH configuration has options as --without-stackprotect and 
If compiler is identified as gcc configure script adds some compiler and 
linker flags.

Roumen Petrov

More information about the ssh_x509 mailing list