[ssh_x509] ssh handshake failed in FIPS mode

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sat Jul 20 15:17:01 EEST 2019


Thanks a lot for the reply. But I am afraid if this solution would be
suitable for my setup. My requirement is the interoperability between
old and new versions of softwares. like in the new version we move ssl
and ssh to new version and the key algorithm also move to a different
one. But there could be systems with old software that try to connect
to my server with new software. Then it need to work. So there I may
not be able to control it based on domain.

Thanks
gk

On Sat, 20 Jul 2019 at 01:09, <ssh_x509 at roumenpetrov.info> wrote:
>
> Hi,
>
> ssh_x509 at roumenpetrov.info wrote:
> > Hi
> >
> >    In continuation of this , we have one more requirement. What happens
> > is - we need to support both the algorithm (
> >
> > [SNIP]
> > PubkeyAlgorithms x509v3-sign-rsa
> > X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
> >
> > and
> > PubkeyAlgorithms x509v3-rsa2048-sha256
> > X509KeyAlgorithm x509v3-rsa2048-sha256,rsa2048-sha256
> > <<<<<<
> >
> > Is there any way we can achieve this?
>
> First X509KeyAlgorithmis quite specific configuration. Its intended use
> is compatibility with third party applications.
>
> PubkeyAlgorithms could be used on "Host" basis. I mean that in general ("Host *" as last section in configuration) you could use x509v3-rsa2048-sha256 and for certain hosts (third party) to restrict
>
>
> Sample (client config):
> ...
> Host *ssh.com
>
> PubkeyAlgorithms x509v3-sign-rsa
> X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
>
>
> Host *vandyke.com
>
> PubkeyAlgorithms x509v3-sign-rsa
> X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
>
> Host*
> PubkeyAlgorithms x509v3-rsa2048-sha256
> ....
>
> Remark: Today Vandyke may use "rsa-sha1" - no idea. For sure recent company software supportsx509v3-ssh-rsa and x509v3-ssh-dss.
>
> So with above you support all.
>
>
> On server side. X509KeyAlgorithm  is "global" option similar as PubkeyAlgorithms. It cannot be in Match directive.
> If this is the case we could discuss in addition.
>
>
> > Thanks
> > GKS
> Regards,
> Roumen
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info



More information about the ssh_x509 mailing list