On 5/22/25 05:40, Damien Miller wrote:
[snip]
> Please give the attached patch a try.
Yes, thank you very much. The patch works when applied and the three
cases where the certificate is expired, is not yet valid, or is not used
by the right principal are covered:
May 22 08:44:31 obsd sshd-session[1022]: error: Refusing certificate ID
"edcba" serial=3 signed by ED25519 CA
SHA256:4ZyxpgCaw3Y8wz91ajLWARibUGfwyuOrftt2wermMJE: Certificate invalid:
expired
May 22 08:46:43 obsd sshd-session[31281]: error: Refusing certificate ID
"fedcb" serial=4 signed by ED25519 CA
SHA256:4ZyxpgCaw3Y8wz91ajLWARibUGfwyuOrftt2wermMJE: Certificate invalid:
not yet valid
May 22 08:49:01 obsd sshd-session[34072]: error: Refusing certificate ID
"gfedc" serial=5 signed by ED25519 CA
SHA256:4ZyxpgCaw3Y8wz91ajLWARibUGfwyuOrftt2wermMJE: Certificate invalid:
name is not a listed principal
It was tested on:
$ uname -srm
OpenBSD 7.7 amd64
$ grep -A1 '^OpenBSD' /var/run/dmesg.boot | tail -n 2
OpenBSD 7.7-current (GENERIC) #660: Tue May 20 23:57:50 MDT 2025
deraadt@xxxxxxxxxxxxxxxxx:/usr/src/sys/arch/amd64/compile/GENERIC
It's very much appreciated.
What's the preference for adding to a wish list the case of merging two
log lines into one, bugzilla or bugs@? That'd be when the connection is
refused due to certificate options like if there is valid certificate
but not from a permitted source address.
/Lars
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
