[ssh_x509] ssh handshake failed in FIPS mode

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Fri Jul 19 13:49:52 EEST 2019


Another pointer is that we have strict hostkey checking enabled in client side.

>>>>>
StrictHostKeyChecking yes

and my known_hosts file has the following entry

Client228 x509v3-sign-rsa subject= CN=Client228,OU=UK
,O=Xyz,L=zyX,ST=MyPlace,C=KG
<<<<<

Thanks
gks

On Fri, 19 Jul 2019 at 14:58, <ssh_x509 at roumenpetrov.info> wrote:
>
> Hi
>
>   In continuation of this , we have one more requirement. What happens
> is - we need to support both the algorithm (
>
> >>>>>>
> PubkeyAlgorithms x509v3-sign-rsa
> X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
>
> and
> PubkeyAlgorithms x509v3-rsa2048-sha256
> X509KeyAlgorithm x509v3-rsa2048-sha256,rsa2048-sha256
> <<<<<<
>
> Is there any way we can achieve this?
>
> Thanks
> GKS
>
> On Fri, 17 May 2019 at 00:31, <ssh_x509 at roumenpetrov.info> wrote:
> >
> > Hi,
> >
> > I did some test and it seems to me support for "x509v3-rsa2048-sha256"
> > algorithms will be based on attached experimental patch
> > "0002-TESTING-x509v3-rsa2048-sha256.patch"
> >
> > Remarks:
> > - registration requires explicit set of signature name:
> > ...ssh_add_x509key_alg("x509v3-rsa2048-sha256,rsa2048-sha256,rsa2048-sha256")
> > ....  (*)
> > - set of p->type = KEY_X509_RSA; is for pre 12.0 (not tested)
> >
> >
> > (*)
> > Daemon was run with "AcceptedAlgorithms=x509v3-rsa2048-sha256,rsa-sha2*"
> > and RSA+CERT host key and third party software accepts such host key
> > X.509 algorithm.
> >
> >
> > Regard,
> > Roumen
> >
> > _______________________________________________
> > ssh_x509 mailing list
> > ssh_x509 at roumenpetrov.info
> > http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info



More information about the ssh_x509 mailing list