[ssh_x509] Validating host with certificate chain

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon May 15 22:09:46 EEST 2017

Hi Ron,

Thanks for report .

ssh_x509 at roumenpetrov.info wrote:
> Hello,
> I recently installed pkixssh 10.1.1. It built fine and I’ve managed to do a successful key exchange with it using an RSA host key and X509 RSA certificate that I generated myself, chained through an intermediate CA to a private root CA. However, so far, I’ve only been able to get this to work when I provide the client with both the root CA and the intermediate CA in its X509 store. If I provided only the root CA on the client, the validation fails, even though I have configured the server to send a certificate chain which includes both a server certificate for the host and the intermediate CA.
> Looking at the debug messages on the client, it appears to be receiving two certificates from the server during the key exchange, but it doesn’t appear to be able to use the intermediate CA provided by the server in the verification. Here’s what I see when the client trusts only the root CA:
> [SNIP]
> However, when I add the intermediate CA to the client’s X509 store, it succeeds:
> [SNIP]
> In both cases, the server is sending the server certificate and intermediate CA (as you can see in the debug output at the top where there’s a certificate count of 2 and an OCSP response count of 2).
> Any idea what I might be doing wrong that’s preventing the client from using the intermediate CA provided by the server?

Unfortunately it is mistake in code - certificates from key are not 
passed to verification routine.
It is corrected by attached patch 

> Thanks in advance for any advice you can provide!

Roumen Petrov

Secure shell with X.509 certificate support

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-pass-key-chain-with-X.509-certificates-to-verify-met.patch
Type: text/x-diff
Size: 2920 bytes
Desc: not available
URL: <http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/attachments/20170515/5b481860/attachment.bin>

More information about the ssh_x509 mailing list