Announce: X.509 certificates support in OpenSSH (version 6.0-International)

Roumen Petrov openssh at
Wed Aug 8 06:00:49 EST 2007

Today, I released a new version of "X.509 certificates support in 
OpenSSH" ( ).

Version 6.0 add following enhancements:

- Printable X.509 name attributes compared in UTF-8
Printable attributes are converted to utf-8 before to compare. This 
allow distinguished name in "authorized keys" file to be in UTF-8.

- "Distinguished Name" with escaped symbols or in UTF-8 codeset(charset)
File "authorized keys" can contain "distinguished Name" (subject) with 
escaped symbols or in UTF-8 charset. If unescaped certificate subject 
contain characters with code above 127(us-ascii) it is handled always as 
UTF-8 string.

- LDAP queries in conformance to [RFC2254]
In validation process "X.509 store" lookup for certificates and CRLs in 
files stored on file system. If is enabled (at configure time) this 
lookup can query LDAP server too. Attributes in query should be escaped 
and the versions before current escape attributes as is described in 
[RFC2253]. Now attributes are escaped in addition as is recommended in 

- Restored support for openssl 0.9.6
OpenSSL EVP_MD structure that handle so called "dss-raw" signatures can 
be compiled with openssl 0.9.6.

- Resolved cross-compilation issue
Test for "Email" in "Distinguished Name" (openssl 0.9.6 and earlier) in 
file is modified to handle cross-compilation.

- Certificates for RSA keys size greater than 2048
Limitation for big RSA keys is resolved.

- Regression tests with multi-language "distinguished name" in utf-8
To enable uncomment #SSH_DN_UTF8_FLAG='-utf8' in 
"[SOURECDIR]/tests/CA/config", go in "[BUILDIR]/" and run tests. If test 
certificates are created, before to run tests again with flag enabled, 
go in "[BUILDIR]/tests/CA/", run make clean (this will remove created 
test certificates), return to "[BUILDIR]/" and run tests again.

On download page
you can found diff for OpenSSH versions 4.5p1 and 4.6p1.


More information about the openssh-unix-dev mailing list