Hello
I am facing a ssl hand shake issue in FIPS mode. I have the
following parameters in my ssh configuration files
>>> sshd - service side
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreUserKnownHosts no
IgnoreRhosts yes
MACs hmac-sha2-512
Ciphers aes256-ctr
KexAlgorithms ecdh-sha2-nistp384
PubkeyAlgorithms x509v3-sign-rsa
X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
<<<<
>>>>ssh - client side
MACs hmac-sha2-512
Ciphers aes256-ctr
KexAlgorithms ecdh-sha2-nistp384
PubkeyAlgorithms x509v3-sign-rsa
X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
<<<<<
Apart from the above there are other parameters also are there which I
think may not be much relevant here !
We use this for creating tunnels and take x509 cert based
authentication. We have authorisedkey file and known host file
populated properly.
When I try to connect from client to server - handshake fails ?
following is the last part of the client debug output.>>>>
...
debug2: ciphers stoc: aes256-ctr
debug2: MACs ctos: hmac-sha2-512
debug2: MACs stoc: hmac-sha2-512
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: ecdh-sha2-nistp384
debug1: kex: host key algorithm: x509v3-sign-rsa
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-512
compression: none
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-512
compression: none
debug3: send packet: type 30
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
<<<<
In server side>>>>
debug2: ciphers ctos: aes256-ctr [preauth]
debug2: ciphers stoc: aes256-ctr [preauth]
debug2: MACs ctos: hmac-sha2-512 [preauth]
debug2: MACs stoc: hmac-sha2-512 [preauth]
debug2: compression ctos: none,zlib at openssh.com,zlib [preauth]
debug2: compression stoc: none,zlib at openssh.com,zlib [preauth]
debug2: languages ctos: [preauth]
debug2: languages stoc: [preauth]
debug2: first_kex_follows 0 [preauth]
debug2: reserved 0 [preauth]
debug1: kex: algorithm: ecdh-sha2-nistp384 [preauth]
debug1: kex: host key algorithm: x509v3-sign-rsa [preauth]
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-512
compression: none [preauth]
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-512
compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: receive packet: type 30 [preauth]
debug3: mm_xkey_sign entering [preauth]
debug3: mm_request_send entering: type 6 [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign
debug3: ssh_x509_sign: key alg/type/name:
x509v3-sign-rsa/RSA+cert/x509v3-sign-rsa
debug3: ssh_x509_sign: compatibility: { 0x00000000, 0x00000000 }
debug3: ssh_x509_sign: alg=x509v3-sign-rsa, md=rsa-sha1
ssh_x509_EVP_PKEY_sign: EVP_SignInit_ex fail with
errormsg='error:060B5098:lib(6):func(181):reason(152)'
debug3: ssh_x509_sign: return -22
mm_answer_sign: Xkey_sign failed: error in libcrypto
debug1: do_cleanup
debug1: Killing privsep child 28609
<<<<
What could be the problem. Any pointers on this would be of great help for me.
Thanks
~S