Today, I released a new version of "X.509 certificates support in
OpenSSH" ( http://roumenpetrov.info/openssh/ ).
Version 6.0 add following enhancements:
- Printable X.509 name attributes compared in UTF-8
Printable attributes are converted to utf-8 before to compare. This
allow distinguished name in "authorized keys" file to be in UTF-8.
- "Distinguished Name" with escaped symbols or in UTF-8 codeset(charset)
File "authorized keys" can contain "distinguished Name" (subject) with
escaped symbols or in UTF-8 charset. If unescaped certificate subject
contain characters with code above 127(us-ascii) it is handled always as
UTF-8 string.
- LDAP queries in conformance to [RFC2254]
In validation process "X.509 store" lookup for certificates and CRLs in
files stored on file system. If is enabled (at configure time) this
lookup can query LDAP server too. Attributes in query should be escaped
and the versions before current escape attributes as is described in
[RFC2253]. Now attributes are escaped in addition as is recommended in
[RFC2254].
- Restored support for openssl 0.9.6
OpenSSL EVP_MD structure that handle so called "dss-raw" signatures can
be compiled with openssl 0.9.6.
- Resolved cross-compilation issue
Test for "Email" in "Distinguished Name" (openssl 0.9.6 and earlier) in
file configure.ac is modified to handle cross-compilation.
- Certificates for RSA keys size greater than 2048
Limitation for big RSA keys is resolved.
- Regression tests with multi-language "distinguished name" in utf-8
To enable uncomment #SSH_DN_UTF8_FLAG='-utf8' in
"[SOURECDIR]/tests/CA/config", go in "[BUILDIR]/" and run tests. If test
certificates are created, before to run tests again with flag enabled,
go in "[BUILDIR]/tests/CA/", run make clean (this will remove created
test certificates), return to "[BUILDIR]/" and run tests again.
On download page http://roumenpetrov.info/openssh/download.html
you can found diff for OpenSSH versions 4.5p1 and 4.6p1.
Roumen
