X.509 certificate integration continue with PKCS11 and FIPS capable OpenSSL
Roumen Petrov
openssh at roumenpetrov.info
Mon Jan 16 06:38:46 EST 2012
Hello list members,
I would like to inform that version 7.1 of X.509 certificate support) is
ready.
The just published update from "Integration" series offer direct support
of X.509 certificates based on RSA keys from PKCS11module. Another
integration update is that now you could you use FIPS capable OpenSSL
library in FIPS mode.
As result of above mentioned features x509v3-sign-rsa public key
algorithm now prefer sha1 to md5. This mean that by default option
X509KeyAlgorithm is switched from
X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
to
X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 (not available in FIPS mode)
Note client and server use the first listed in for X509KeyAlgorithm for
signing and accept all listed as is documented in ssh_config(5) and
sshd_config(5) manual pages.
So if you user version before 5.3(released on 21 Jan 2006 ) you must update.
Third party clients and servers could check for PKIX in ssh
identification string to adjust at run time prefered signature hash.
Regards,
Roumen Petrov
--
Get X.509 certificates support in OpenSSH:
http://roumenpetrov.info/openssh/
More information about the openssh-unix-dev
mailing list