[ssh_x509] Self-signed certificates not allowed in version 12.6 "Host key verification failed"

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Apr 12 22:15:35 EEST 2021

ssh_x509 at roumenpetrov.info wrote:
> C1-Non sensitive
> ________________________________________
> Hello everybody,
> I am testing the version 12.6 of pkixssh and, as part of our tests, we test de authentication with X509 certificates.
> The certificates used for the CA, host and user are self-signed certificates, created for testing purposes.  In the previous version tested by me, the pkixssh 12.3 (corresponding to OpenSSH 8.1) it worked but with the current one 12.6 (corresponding to OpenSSH 8.4) when the host certificate is received in the client side we get the following error:
>      ssh_verify_cert: verify error, code=18, msg='self signed certificate'
>      Host key verification failed.

Perhaps now code is correct. May be commit e2cbe40673d91c377563173d6e6f710d40b51dbd  makes difference - part of 12.4.3 release, announced as:
/X.509 based host-keys validation/
Regression was not fixed properly in previous release. Now result of X.509 based host-keys validation is checked properly.

Is host certificate part of "trusted store" ?

Remark: PKIX-SSH does not use X509_V_FLAG_X509_STRICT and so is not impacted by OpenSSL 1.1.1* regressions.

> Is there a way to avoid this error? The error is detected in the client side when trying to establish a connection
> Thanks in advance!
> José Manuel Ciges Regueiro
> Unix Systems Administrator & LAMP developer

Roumen Petrov

More information about the ssh_x509 mailing list