[ssh_x509] ssh handshake failed in FIPS mode

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu May 16 21:26:45 EEST 2019


Sorry for late reply,

ssh_x509 at roumenpetrov.info wrote:
> Thank you very much for the reply. Sorry to say that we are in a bit
> older version level of openssh and PKIX patch. Currently we are in
> openssh 7.5p1 version level and hence the patch I applied is
> https://roumenpetrov.info/openssh/x509-10.1.1/openssh-7.5p1+x509-10.1.1.diff.gz.
> So the above diff would be good enough or do I need to add any more
> extra code ?

For oldest versions (before 12.0) the code has to set main type in 
method ssh_add_x509key_alg
p->type = KEY_X509_RSA;
p->basetype = KEY_RSA;

Also I note that in method X509key_from_buf2_common there is one "check 
if key match algorithm" that expects only one algorithm per "key type pair".
This control will be improved in next release.

For oldest releases it could be avoided (removed) if daemon or client 
configuration prevents "duplicate" algorithms.
For instance  options AcceptedAlgorithms set to x509v3-rsa2048-sha256 
prevents duplicates.

> Thanks in advance
> ~GKS


P.S. I will be not available for next two weeks.

More information about the ssh_x509 mailing list