openssh unix dev - Jan 2012 - X.509 certificate integration continue with PKCS11 and FIPS capable OpenSSL

Hello list members,

I would like to inform that version 7.1 of X.509 certificate support) is 
ready.

The just published update from "Integration" series offer direct
support
of X.509 certificates based on RSA keys from PKCS11module. Another 
integration update is that now you could you use FIPS capable OpenSSL 
library in FIPS mode.


As result of above mentioned  features  x509v3-sign-rsa public key 
algorithm now prefer sha1 to md5. This mean that by default option 
X509KeyAlgorithm is switched from
   X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
   X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
to
   X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
   X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 (not available in FIPS mode)

Note client and server use the first listed in for X509KeyAlgorithm for 
signing and accept all listed as is documented in ssh_config(5) and 
sshd_config(5) manual pages.

So if you user version before 5.3(released on 21 Jan 2006 ) you must update.
Third party clients and servers could check for PKIX in ssh 
identification string to adjust at run time prefered signature hash.


Regards,
Roumen Petrov


-- 
Get X.509 certificates support in OpenSSH:
http://roumenpetrov.info/openssh/