LogLevel INFO shows few details for Certificate invalid: not yet valid / expired
Lars Noodén
lars.nooden at gmx.com
Thu May 22 16:42:22 AEST 2025
On 5/22/25 05:40, Damien Miller wrote:
[snip]
> Please give the attached patch a try.
Yes, thank you very much. The patch works when applied and the three
cases where the certificate is expired, is not yet valid, or is not used
by the right principal are covered:
May 22 08:44:31 obsd sshd-session[1022]: error: Refusing certificate ID
"edcba" serial=3 signed by ED25519 CA
SHA256:4ZyxpgCaw3Y8wz91ajLWARibUGfwyuOrftt2wermMJE: Certificate invalid:
expired
May 22 08:46:43 obsd sshd-session[31281]: error: Refusing certificate ID
"fedcb" serial=4 signed by ED25519 CA
SHA256:4ZyxpgCaw3Y8wz91ajLWARibUGfwyuOrftt2wermMJE: Certificate invalid:
not yet valid
May 22 08:49:01 obsd sshd-session[34072]: error: Refusing certificate ID
"gfedc" serial=5 signed by ED25519 CA
SHA256:4ZyxpgCaw3Y8wz91ajLWARibUGfwyuOrftt2wermMJE: Certificate invalid:
name is not a listed principal
It was tested on:
$ uname -srm
OpenBSD 7.7 amd64
$ grep -A1 '^OpenBSD' /var/run/dmesg.boot | tail -n 2
OpenBSD 7.7-current (GENERIC) #660: Tue May 20 23:57:50 MDT 2025
deraadt at amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
It's very much appreciated.
What's the preference for adding to a wish list the case of merging two
log lines into one, bugzilla or bugs@? That'd be when the connection is
refused due to certificate options like if there is valid certificate
but not from a permitted source address.
/Lars
More information about the openssh-unix-dev
mailing list