[ssh_x509] PKIX-SSH release 9.0

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Aug 3 22:51:47 EEST 2016

Dear All,

New major release 9.0 of PKIX-SSH was just published. The version 
includes following important enhancements:

* internal build of certificate chain
   Public key algorithms described in [RFC6187] require a chain of 
certificates leading to a trusted certificate authority to be sent as 
part of public key data.
   Before version 9.0 it was user responsibility to specify those 
certificates as part of private key file. It was not possible for keys 
and X.509 certificates stored in external devices to satisfy [RFC6187] 
requirement. Now when a [RFC6187] key is loaded programs (client, 
server) use certificates from private file and X.509 store to build the 
   PKCS11 module is a specific case. It is case when module is used with 
agent (ssh-add -s ..). Now ssh agent support certificate X.509 and use 
system default store defined at build time. In addition new ssh-add 
option -S allows user to add extra certificates to store. Those 
certificates and system default are used to build certificate chain.

* remove build option --disable-x509store
    Support of [RFC6187] public key algorithms require working X.509 store.

* remove build option --enable-x509v3-ecdsa
    Support of x509v3-ecdsa-sha2-... now is default for X509KeyAlgorithm 
    With other words support for X.509 certificates with EC is 
considered complete.

* port to OpenSSL 1.1 API
    Most of code is rewritten to use API from OpenSSL 1.1 development 
    The new API is back-ported locally and used if build is with OpenSSL 
versions before 1.1. The model for functional checks at configure time 
allows build with OpenSSL compatible libraries.

* Android port
    Code is updated to support various versions of Bionic "C" libraries.
    Now specific to Android logging functionality is used from all 
    A simplified password file is managed. It supports only one password 
record with md5 hash. This allows ssh daemon to support password 

* dump of configuration
    Command that dump client/server configurations now properly generate 
directive VAType.

Roumen Petrov

More information about the ssh_x509 mailing list