[ssh_x509] Test certificates from 'make check'

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Sep 11 20:24:00 EEST 2019

ssh_x509 at roumenpetrov.info wrote:
> Hi Everyone,
> I'm testing pkix-ssh. After 'make check'  [SNIP]  I have
> two questions.
> First, why was Netscape Cert Type used, and why was SSL Client selected?
First version is dated in 2002 and so some parts are outdated and based 
on available functionality at this time
For client identities (testid_*.crt)
             Netscape Cert Type:
                 SSL Client, S/MIME
but for server (testhostkey_*.crt):
             Netscape Cert Type:
                 SSL Client, SSL Server
Note host-based authentication.

Also option is AllowedCertPurpose for client and daemon.
May be is time to retire this functionality ....

> Second, why were Key Usage and Extended Key Usage omitted
> (https://tools.ietf.org/html/rfc6187#page-7)?
Mostly because are not supported by OpenSSL library.
PKIX-SSH still work with OpenSSL 0.9.7*.
Secure shell related key purpose are not supported by OpenSSL 1.0.2. 
First is 1.1.0.
These is issue with [oid_section] in configuration of "ancient" OpenSSL 
releases. This section is required to describe "extra" IDs on old 
OpenSSL releases.
And ...

Actuality I forgot other issues that lead to abandon support of rfc6187 
key usages four years ago.

> Thanks in advance,
> Jeffrey Walton

Roumen Petrov

More information about the ssh_x509 mailing list