[ssh_x509] test failure with patch 11.5 and openssl 1.1.1

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Oct 25 21:00:07 EEST 2018


Hello,

ssh_x509 at roumenpetrov.info wrote:
> Snippet where the test failed, let me know if more information is needed.
>
> =======================================================================
> Testing client and server with X.509 certificates:
> =======================================================================
>
> using: ./test-blob_auth.sh.inc
> * with CACertificateFile and
> * authorization by encoded public identity:
> =======================================================================
> Begin tests with authorization by encoded X.509 certificate ...
>    using identity file testid_rsa-rsa_sha1
>    * rsa_sha1 valid                                                    failed
>
> =======================================================================
> Testing client and server with X.509 certificates finished.
>    status:                                                             failed
> =======================================================================
>

Release is tested with :
11.5-ssl0.9.7m
11.5-ssl0.9.8zh
11.5-ssl0.9.8zh_fips
11.5-ssl1.0.0t
11.5-ssl1.0.1u
11.5-ssl1.0.1u_fips
11.5-ssl1.0.2p
11.5-ssl1.0.2_stable
11.5-ssl1.0.2_stable_fips
11.5-ssl1.1.0i
11.5-ssl1.1.0_stable
11.5-ssl1.1.1_stable
11.5-sslre2.5.5
11.5-sslre2.7.4
11.5-sslre2.8.0

In above list _table suffix means build against  OpenSSL from respective 
branch. I cannot confirm that 11.5-ssl1.1.1_stable match exactly OpenSSL 
release 1.1.1.
Remark: "*sslre*" is for LibreSSL.

So first question is to confirm that secure shell binaries are linked to 
expected openssl version and the there is no mix between versions if 
build is with ldap.
On my test build ldd ....11.5-ssl1.1.1_stable/ssh returns:
         linux-vdso.so.1 (0x00007fff7872d000)
         libldap-2.4.so.2 => 
/opt/openldap/2.4.46-ssl1.1.1_stable/usr/lib64/libldap-2.4.so.2 
(0x00007f7360738000)
         liblber-2.4.so.2 => 
/opt/openldap/2.4.46-ssl1.1.1_stable/usr/lib64/liblber-2.4.so.2 
(0x00007f7360529000)
         libssl.so.1.1 => 
/usr/local/openssl64/1.1.1_stable/lib/libssl.so.1.1 (0x00007f7360296000)
         libdl.so.2 => /lib64/libdl.so.2 (0x00007f7360092000)
         libcrypto.so.1.1 => 
/usr/local/openssl64/1.1.1_stable/lib/libcrypto.so.1.1 (0x00007f735fba7000)
         libutil.so.1 => /lib64/libutil.so.1 (0x00007f735f9a4000)
         libz.so.1 => /lib64/libz.so.1 (0x00007f735f78d000)
         libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f735f555000)
         libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f735f33a000)
         libc.so.6 => /lib64/libc.so.6 (0x00007f735ef71000)
         libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f735ed57000)
         libsasl2.so.3 => /usr/lib64/libsasl2.so.3 (0x00007f735eb3b000)
         libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f735e91e000)
         /lib64/ld-linux-x86-64.so.2 (0x00007f7360c57000)
, i.e. client is linked with expected version.
 From above is visible that ldap used the same version of cryptograpic 
library.

Regard,
Roumen Petrov







More information about the ssh_x509 mailing list