[ssh_x509] x509 tests fail on Mac OSX (pkixssh8.6)

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Dec 9 02:27:22 EET 2015

On Sun, Dec 6, 2015 at 3:14 AM,  <ssh_x509 at roumenpetrov.info> wrote:
> Hello ,
> ssh_x509 at roumenpetrov.info wrote:
>> Hello,
>> I was testing pkixssh8.6 on Mac OSX (on 10.10/Yosemite and 10.11/El
>> Capitan), and noticed that the X509 specific tests fail on both.
> I would like to know is specific test fail or if tests for a public key
> algorithm fail.

* against CACertificatePath:
Begin test with base key_file testid_rsa ...
  - autorization by x509 Subject against CA key rsa_sha1
  * rsa_sha1

Permission denied (publickey).

Testing client and server with X.509 certificates finished.


>> On 10.10, it fails when using the system OpenSSL implementation, but
>> works with LibreSSL 2.2.4 (manually compiled/installed into /opt)
> I would like to know OpenSSL version (Internet query show versions from
> 1.0.1 branch ).

10.10 currently has OpenSSL 1.0.2.d 9 Jul 2015

> Some vendors distribute version like 1.0.2 before final(official) release.
> Issue is that some 1.0.2 beta version has a defect in certificate
> verification.
> Issue is related to self signed certificates.
> openssl verify ./ca-test/crt/catest-root0.crt.pem show return only "error 18
> ..."
>> On 10.11, the system SSL implementation is unusable (./configure fails
>> the openssl header check). It seems that Apple has replaced OpenSSL
> Try with   --without-openssl-header-check "Disable OpenSSL version
> consistency check"

Doesn't seem to help on 10.11.

> Usually apple distribute as patch only upgraded library. Within patch
> version is incremented, but patch(hotfix, service pack, etc. ) does not
> include updated headers.


>> with LibreSSL, but not in a way that's usable for ssh (presumably
>> fPIC/fPIE related). If I compile LibreSSL 2.2.4 and use that, it will
>> build, but the tests fail as they do on 10.10).
>> I've attached output for both configurations. Please let me know if
>> there's more information needed to fix this bug (I'm available to test
>> patches).
> List strip most of attachments.
> For instance it accept content types as text/plain and text/x-diff.

Ok. They should've been in text/plain but maybe gmail did something strange.

> I'm not sure that configuration result will help to find why X.509 tests
> fail.
> Lets see results with openssl, i.e. in <BUILDDIR>/tests/CA run verify.sh
> located in <SOURCEDIR>/tests/CA/verify.sh

The tests pass on 10.10.

> OpenSSL depends from compilers.In some cases build build without compiler
> optimizations or assembler may help.
> OpenSSH configuration has options as --without-stackprotect and
> --without-hardening.
> If compiler is identified as gcc configure script adds some compiler and
> linker flags.

These did not help on 10.11 in conjunction with --without-openssl-header-check


More information about the ssh_x509 mailing list