[Bug 3577] CASignatureAlgorithms supports -cert algorithms when used alongside with other options

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Jun 21 12:25:56 AEST 2023


https://bugzilla.mindrot.org/show_bug.cgi?id=3577

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3701|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Created attachment 3701
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3701&action=edit
show only valid CA signing algorithms for -Q CASignatureAlgorithms

> The patch indeed fixes the configuration-file behavior. It doesn't fix
> `ssh -Q CASignatureAlgorithms` still producing the wrong output, however.

Yeah, it was using the list of all signature algorithms.

> Also: You introduced a new variable ca_only that is true for 
> CASignatureAlgorithms and false for all others. Shouldn't it then perhaps
> be named more something like no_ca, as CASignatureAlgorithms does not
> accept only ca alogrithms, but rather the exact opposite or what did I miss?

ca_only = algorithms that are valid for CAs to sign certificates.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list