[ssh_x509] broken "external keys" in OpenSSL 3+ or OpenSSL 3 is not ready for production use

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sat Feb 12 13:29:20 EET 2022


So PKIX-SSH builds and pass regression test with OpenSSL 3.0.
Note it does not support OpenSSL 3.0 API and there is no plan to support it. Estimated target is OpenSSL 3.1 API.

The fact that PKIX-SSH pass some test does not mean that OpenSSL 3.0 is usable due to some issues:
(1) broken "external keys" in stable 3.0 : https://github.com/openssl/openssl/issues/17286
(2) broken engine provided "external keys" in stable 3.0 : https://github.com/openssl/openssl/issues/17092

Above mean that keys stored on secure token cannot be used directly (1) from PKCS#11 module and indirectly (2) from engine using either classical Engine API or Store2 API.

Remark: e_nss engine supports both Engine API and Store2 API.

I don't think that issue is PKIX-SSH related. For instance  in OpenSSL #17092 you could find reference to another report related to pkcs11 engine.
More over functionality works just fine with all OpenSSL releases starting from 0.9.7 up to last real stable 1.1.1.

Roumen Petrov

More information about the ssh_x509 mailing list