diff -Nru ec2-instance-connect-1.1.14/bin/make_deb.sh ec2-instance-connect-1.1.17/bin/make_deb.sh
--- ec2-instance-connect-1.1.14/bin/make_deb.sh	2021-03-16 15:57:25.000000000 +0100
+++ ec2-instance-connect-1.1.17/bin/make_deb.sh	2022-05-09 23:10:36.000000000 +0200
@@ -57,8 +57,8 @@
 sed -i "s%^/bin/%%g" "${pkgdir}"/ec2-instance-connect/*
 sed -i "s%\([^\#][^\!]\)/bin/%\1%g" "${pkgdir}"/ec2-instance-connect/*
 # Copy ec2-instance-connect service file
-cp -r "${TOPDIR}/src/deb_systemd/ec2-instance-connect.service" "${pkgdir}/"
-cp -r "${TOPDIR}/src/ec2-instance-connect.preset" "${pkgdir}/95-ec2-instance-connect.preset"
+cp -r "${TOPDIR}/src/deb_systemd/ec2-instance-connect-harvest-hostkeys.service" "${pkgdir}/"
+cp -r "${TOPDIR}/src/ec2-instance-connect-harvest-hostkeys.preset" "${pkgdir}/95-ec2-instance-connect-harvest-hostkeys.preset"
 
 mkdir "${pkgdir}/debian"
 cp -r "${TOPDIR}"/debian/* "${pkgdir}/debian/"
diff -Nru ec2-instance-connect-1.1.14/bin/make_rpm.sh ec2-instance-connect-1.1.17/bin/make_rpm.sh
--- ec2-instance-connect-1.1.14/bin/make_rpm.sh	2021-03-16 15:57:25.000000000 +0100
+++ ec2-instance-connect-1.1.17/bin/make_rpm.sh	2022-05-09 23:10:36.000000000 +0200
@@ -52,8 +52,8 @@
 }
 trap cleanup EXIT
 
-cp "${TOPDIR}/src/rpm_systemd/ec2-instance-connect.service" "${BUILDDIR}/SOURCES/"
-cp "${TOPDIR}/src/ec2-instance-connect.preset" "${BUILDDIR}/SOURCES"
+cp "${TOPDIR}/src/rpm_systemd/ec2-instance-connect-harvest-hostkeys.service" "${BUILDDIR}/SOURCES/"
+cp "${TOPDIR}/src/ec2-instance-connect-harvest-hostkeys.preset" "${BUILDDIR}/SOURCES"
 ls "${BUILDDIR}/SOURCES"
 
 cd "${BUILDDIR}" || exit 1 # Will ensure some paths are set correctly in rpmbuild
diff -Nru ec2-instance-connect-1.1.14/debian/changelog ec2-instance-connect-1.1.17/debian/changelog
--- ec2-instance-connect-1.1.14/debian/changelog	2022-05-12 07:28:05.000000000 +0200
+++ ec2-instance-connect-1.1.17/debian/changelog	2023-05-05 13:37:09.000000000 +0200
@@ -1,3 +1,11 @@
+ec2-instance-connect (1.1.17-0ubuntu1) mantic; urgency=medium
+
+  * New upstream release.
+  * Drop d/p/fix-parse-auth-keys-w-openssl-3.0.2.patch .
+    Applied upstream.
+
+ -- Thomas Bechtold <thomas.bechtold@canonical.com>  Fri, 05 May 2023 13:37:09 +0200
+
 ec2-instance-connect (1.1.14-0ubuntu2) kinetic; urgency=medium
 
   * Add patch to fix parse authorized keys script
diff -Nru ec2-instance-connect-1.1.14/debian/patches/fix-parse-auth-keys-w-openssl-3.0.2.patch ec2-instance-connect-1.1.17/debian/patches/fix-parse-auth-keys-w-openssl-3.0.2.patch
--- ec2-instance-connect-1.1.14/debian/patches/fix-parse-auth-keys-w-openssl-3.0.2.patch	2022-05-12 07:28:05.000000000 +0200
+++ ec2-instance-connect-1.1.17/debian/patches/fix-parse-auth-keys-w-openssl-3.0.2.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,41 +0,0 @@
-From 82f34324a4b9ff21c375ac5724e9d68bd051a00f Mon Sep 17 00:00:00 2001
-From: Jacob Meisler <meislerj@amazon.com>
-Date: Mon, 9 May 2022 16:22:17 -0400
-Subject: [PATCH] Fix parse authorized keys script to work with OpenSSL 3.0.2
-
----
- src/bin/eic_parse_authorized_keys     | 10 +++++-----
- 1 files changed, 5 insertions(+), 5 deletions(-)
-
-Origin: upstream, https://github.com/aws/aws-ec2-instance-connect-config/pull/39/commits/82f34324a4b9ff21c375ac5724e9d68bd051a00f
-Bug: https://github.com/aws/aws-ec2-instance-connect-config/issues/38
-Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1973114
-Applied-Upstream: https://github.com/aws/aws-ec2-instance-connect-config/pull/39/commits/82f34324a4b9ff21c375ac5724e9d68bd051a00f (v1.1.17)
-Last-Updated: 2022-05-12
-
---- a/src/bin/eic_parse_authorized_keys
-+++ b/src/bin/eic_parse_authorized_keys
-@@ -50,7 +50,7 @@
- verifyocsp() {
-     # First check if this cert is already trusted
-     cname=$("${2}" x509 -noout -subject -in "${3}" 2>/dev/null | /bin/sed -n -e 's/^.*CN[[:blank:]]*=[[:blank:]]*//p')
--    fingerprint=$("${2}" x509 -noout -fingerprint -sha1 -inform pem -in "${3}"  2>/dev/null | /bin/sed -n 's/SHA1 Fingerprint[[:space:]]*=[[:space:]]*\(.*\)/\1/p' | tr -d ':')
-+    fingerprint=$("${2}" x509 -noout -fingerprint -sha1 -inform pem -in "${3}"  2>/dev/null | /bin/sed -n 's/SHA1 Fingerprint[[:space:]]*=[[:space:]]*\(.*\)/\1/pI' | tr -d ':')
-     ocsp_out=$("${2}" ocsp -no_nonce -issuer "${4}" -cert "${3}" -VAfile "${4}" -respin "${5}/${fingerprint}" 2>/dev/null)
-     ocsp_exit="${?}"
-     if [ "${ocsp_exit}" -ne 0 ] || ! startswith "${ocsp_out}" "${3}: good" ; then
-@@ -143,10 +143,10 @@
- fi
- 
- # Build the intermediate trust chain
--/bin/touch "${tmpdir}/ca-trust.pem"
--for i in $(/usr/bin/seq 1 "${end}") ; do
--  /bin/cat "${tmpdir}/cert${i}.pem" >> "${tmpdir}/ca-trust.pem"
--done
-+# We only need to verify the first intermediate certificate since it's signed by Amazon Root CA 1, which
-+# is already trusted by the system (in /etc/ssl/certs).
-+/usr/bin/cp "${tmpdir}/cert1.pem" "${tmpdir}/ca-trust.pem"
-+
- if [ -d "${ca_path}" ] ; then
-     subject=$("${OPENSSL}" x509 -noout -subject -in "${tmpdir}/cert${end}.pem" | /bin/sed -n -e 's/^.*CN[[:space:]]*=[[:space:]]*//p')
-     underscored=$(/bin/echo "${subject}" | /usr/bin/tr -s ' ' '_') 2>/dev/null
diff -Nru ec2-instance-connect-1.1.14/debian/patches/series ec2-instance-connect-1.1.17/debian/patches/series
--- ec2-instance-connect-1.1.14/debian/patches/series	2022-05-12 07:05:28.000000000 +0200
+++ ec2-instance-connect-1.1.17/debian/patches/series	2023-05-05 13:37:09.000000000 +0200
@@ -1 +0,0 @@
-fix-parse-auth-keys-w-openssl-3.0.2.patch
diff -Nru ec2-instance-connect-1.1.14/integration-test/test/hostkey_test.sh ec2-instance-connect-1.1.17/integration-test/test/hostkey_test.sh
--- ec2-instance-connect-1.1.14/integration-test/test/hostkey_test.sh	2021-03-16 15:57:25.000000000 +0100
+++ ec2-instance-connect-1.1.17/integration-test/test/hostkey_test.sh	2022-05-09 23:10:36.000000000 +0200
@@ -72,7 +72,7 @@
 pubkey=$(cat /etc/ssh/ssh_host_rsa_key.pub | awk '{$1=$1};1')
 
 echo "Retriggering host key harvesting"
-sudo systemctl restart ec2-instance-connect.service
+sudo systemctl restart ec2-instance-connect-harvest-hostkeys.service
 
 echo "Retrieving keys from service"
 sign () {
diff -Nru ec2-instance-connect-1.1.14/rpmsrc/SPECS/generic.spec ec2-instance-connect-1.1.17/rpmsrc/SPECS/generic.spec
--- ec2-instance-connect-1.1.14/rpmsrc/SPECS/generic.spec	2021-03-16 15:57:25.000000000 +0100
+++ ec2-instance-connect-1.1.17/rpmsrc/SPECS/generic.spec	2022-05-09 23:10:36.000000000 +0200
@@ -24,8 +24,8 @@
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: systemd
 Source0: %{name}-%{version}.tar.gz
-Source1: ec2-instance-connect.service
-Source2: ec2-instance-connect.preset
+Source1: ec2-instance-connect-harvest-hostkeys.service
+Source2: ec2-instance-connect-harvest-hostkeys.preset
 Requires: openssh >= 6.9.0, coreutils, openssh-server >= 6.9.0, openssl, curl, systemd
 Requires(pre): /usr/bin/getent, /usr/sbin/adduser, /usr/sbin/usermod, systemd, systemd-units
 Requires(post): /bin/grep, /usr/bin/printf, openssh-server >= 6.9.0, systemd, systemd-units
@@ -45,13 +45,13 @@
 /bin/rm -rf %{buildroot}
 /bin/mkdir -p  %{buildroot}
 
-/usr/bin/install -D -m 644 %{SOURCE1} %{buildroot}%{_unitdir}/ec2-instance-connect.service
+/usr/bin/install -D -m 644 %{SOURCE1} %{buildroot}%{_unitdir}/ec2-instance-connect-harvest-hostkeys.service
 # While the former is the RHEL standard, both are populated.  And not symlinked.
-/usr/bin/install -D -m 644 %{SOURCE2} %{buildroot}/usr/lib/systemd/system-preset/95-ec2-instance-connect.preset
-/usr/bin/install -D -m 644 %{SOURCE2} %{buildroot}/lib/systemd/system-preset/95-ec2-instance-connect.preset
+/usr/bin/install -D -m 644 %{SOURCE2} %{buildroot}/usr/lib/systemd/system-preset/95-ec2-instance-connect-harvest-hostkeys.preset
+/usr/bin/install -D -m 644 %{SOURCE2} %{buildroot}/lib/systemd/system-preset/95-ec2-instance-connect-harvest-hostkeys.preset
 
 /bin/mkdir -p %{buildroot}/lib/systemd/hostkey.d
-/bin/echo 'ec2-instance-connect.service' > %{buildroot}/lib/systemd/hostkey.d/60-ec2-instance-connect.list
+/bin/echo 'ec2-instance-connect-harvest-hostkeys.service' > %{buildroot}/lib/systemd/hostkey.d/60-ec2-instance-connect.list
 
 # in builddir
 /bin/cp -a * %{buildroot}
@@ -66,10 +66,10 @@
 /opt/aws/bin/eic_parse_authorized_keys
 /opt/aws/bin/eic_harvest_hostkeys
 %defattr(644, root, root, -)
-%{_unitdir}/ec2-instance-connect.service
+%{_unitdir}/ec2-instance-connect-harvest-hostkeys.service
 /lib/systemd/hostkey.d/60-ec2-instance-connect.list
-/lib/systemd/system-preset/95-ec2-instance-connect.preset
-/usr/lib/systemd/system-preset/95-ec2-instance-connect.preset
+/lib/systemd/system-preset/95-ec2-instance-connect-harvest-hostkeys.preset
+/usr/lib/systemd/system-preset/95-ec2-instance-connect-harvest-hostkeys.preset
 
 %pre
 # Create/configure system user
@@ -77,9 +77,11 @@
 /usr/sbin/usermod -L ec2-instance-connect
 
 %post
-%systemd_post ec2-instance-connect.service
+# Remove dangling pointers to ec2-instance-connect.service
+/bin/rm -f /etc/systemd/system/multi-user.target.wants/ec2-instance-connect.service
+/usr/bin/systemctl preset ec2-instance-connect-harvest-hostkeys.service
 # XXX: %system_post just loads any presets (ie, auto-enable/disable).  It does NOT try to start the service!
-/usr/bin/systemctl start ec2-instance-connect.service
+/usr/bin/systemctl start ec2-instance-connect-harvest-hostkeys.service
 
 modified=1
 
@@ -121,7 +123,7 @@
 fi
 
 %preun
-%systemd_preun ec2-instance-connect.service
+%systemd_preun ec2-instance-connect-harvest-hostkeys.service
 
 if [ $1 -eq 0 ] ; then
     modified=1
@@ -146,7 +148,7 @@
 fi
 
 %postun
-%systemd_postun_with_restart ec2-instance-connect.service
+%systemd_postun_with_restart ec2-instance-connect-harvest-hostkeys.service
 
 if [ $1 -eq 0 ] ; then
     # Delete system user
@@ -155,6 +157,13 @@
 
 
 %changelog
+* Mon May 9 2022 Jacob Meisler <meislerj@amazon.com> 1.1-17
+- OpenSSL 3.0.2 breaks strict x509 verification for one of our intermediate CA certificates.
+- Only verify CA certificates that aren't already trusted in /etc/ssl/certs.
+- OpenSSL 3.0.2 also changes the formatting of the SHA1 fingerprint of an x509 certificate. Switch to a case insensitive match to be backwards and forwards compatible between OpenSSL versions.
+* Thu Sep 9 2021 Vishrutha Konappa Reddy <vkreddy@amazon.com> 1.1-15
+- Change EIC Hostkeys Harvesting to be asynchronous from SSHD to improve instance boot time
+- Rename and enable ec2-instance-connect-harvest-hostkeys.service. Remove pointer to old ec2-instance-connect.service.
 * Fri Feb 26 2021 Paul Oh <pauoh@amazon.com> 1.1-14
 - Ensure failure to run host key harvesting does not leave instances in degraded state
 * Thu Oct 22 2020 Jacob Meisler <meislerj@amazon.com> 1.1-13
diff -Nru ec2-instance-connect-1.1.14/src/bin/eic_parse_authorized_keys ec2-instance-connect-1.1.17/src/bin/eic_parse_authorized_keys
--- ec2-instance-connect-1.1.14/src/bin/eic_parse_authorized_keys	2021-03-16 15:57:25.000000000 +0100
+++ ec2-instance-connect-1.1.17/src/bin/eic_parse_authorized_keys	2022-05-09 23:10:36.000000000 +0200
@@ -50,7 +50,7 @@
 verifyocsp() {
     # First check if this cert is already trusted
     cname=$("${2}" x509 -noout -subject -in "${3}" 2>/dev/null | /bin/sed -n -e 's/^.*CN[[:blank:]]*=[[:blank:]]*//p')
-    fingerprint=$("${2}" x509 -noout -fingerprint -sha1 -inform pem -in "${3}"  2>/dev/null | /bin/sed -n 's/SHA1 Fingerprint[[:space:]]*=[[:space:]]*\(.*\)/\1/p' | tr -d ':')
+    fingerprint=$("${2}" x509 -noout -fingerprint -sha1 -inform pem -in "${3}"  2>/dev/null | /bin/sed -n 's/SHA1 Fingerprint[[:space:]]*=[[:space:]]*\(.*\)/\1/pI' | tr -d ':')
     ocsp_out=$("${2}" ocsp -no_nonce -issuer "${4}" -cert "${3}" -VAfile "${4}" -respin "${5}/${fingerprint}" 2>/dev/null)
     ocsp_exit="${?}"
     if [ "${ocsp_exit}" -ne 0 ] || ! startswith "${ocsp_out}" "${3}: good" ; then
@@ -143,10 +143,10 @@
 fi
 
 # Build the intermediate trust chain
-/bin/touch "${tmpdir}/ca-trust.pem"
-for i in $(/usr/bin/seq 1 "${end}") ; do
-  /bin/cat "${tmpdir}/cert${i}.pem" >> "${tmpdir}/ca-trust.pem"
-done
+# We only need to verify the first intermediate certificate since it's signed by Amazon Root CA 1, which
+# is already trusted by the system (in /etc/ssl/certs).
+/usr/bin/cp "${tmpdir}/cert1.pem" "${tmpdir}/ca-trust.pem"
+
 if [ -d "${ca_path}" ] ; then
     subject=$("${OPENSSL}" x509 -noout -subject -in "${tmpdir}/cert${end}.pem" | /bin/sed -n -e 's/^.*CN[[:space:]]*=[[:space:]]*//p')
     underscored=$(/bin/echo "${subject}" | /usr/bin/tr -s ' ' '_') 2>/dev/null
diff -Nru ec2-instance-connect-1.1.14/src/deb_systemd/ec2-instance-connect-harvest-hostkeys.service ec2-instance-connect-1.1.17/src/deb_systemd/ec2-instance-connect-harvest-hostkeys.service
--- ec2-instance-connect-1.1.14/src/deb_systemd/ec2-instance-connect-harvest-hostkeys.service	1970-01-01 01:00:00.000000000 +0100
+++ ec2-instance-connect-1.1.17/src/deb_systemd/ec2-instance-connect-harvest-hostkeys.service	2022-05-09 23:10:36.000000000 +0200
@@ -0,0 +1,14 @@
+[Unit]
+Description=EC2 Instance Connect Host Key Harvesting
+After=network.target ssh-keygen.service
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+Type=oneshot
+# Prefixing the ExecStart executable with a '-' ignores any failure exit codes and considers it a success
+# This is to avoid issues with the host key harvesting script during system startup
+# and not leave the system in a degraded state.
+# See Table 1 under ExecStart= for details https://www.freedesktop.org/software/systemd/man/systemd.service.html
+ExecStart=-/usr/share/ec2-instance-connect/eic_harvest_hostkeys
diff -Nru ec2-instance-connect-1.1.14/src/deb_systemd/ec2-instance-connect.service ec2-instance-connect-1.1.17/src/deb_systemd/ec2-instance-connect.service
--- ec2-instance-connect-1.1.14/src/deb_systemd/ec2-instance-connect.service	2021-03-16 15:57:25.000000000 +0100
+++ ec2-instance-connect-1.1.17/src/deb_systemd/ec2-instance-connect.service	1970-01-01 01:00:00.000000000 +0100
@@ -1,15 +0,0 @@
-[Unit]
-Description=EC2 Instance Connect Host Key Harvesting
-Before=ssh.service
-After=network.target ssh-keygen.service
-
-[Install]
-WantedBy=multi-user.target
-
-[Service]
-Type=oneshot
-# Prefixing the ExecStart executable with a '-' ignores any failure exit codes and considers it a success
-# This is to avoid issues with the host key harvesting script during system startup
-# and not leave the system in a degraded state.
-# See Table 1 under ExecStart= for details https://www.freedesktop.org/software/systemd/man/systemd.service.html
-ExecStart=-/usr/share/ec2-instance-connect/eic_harvest_hostkeys
diff -Nru ec2-instance-connect-1.1.14/src/ec2-instance-connect-harvest-hostkeys.preset ec2-instance-connect-1.1.17/src/ec2-instance-connect-harvest-hostkeys.preset
--- ec2-instance-connect-1.1.14/src/ec2-instance-connect-harvest-hostkeys.preset	1970-01-01 01:00:00.000000000 +0100
+++ ec2-instance-connect-1.1.17/src/ec2-instance-connect-harvest-hostkeys.preset	2022-05-09 23:10:36.000000000 +0200
@@ -0,0 +1 @@
+enable ec2-instance-connect-harvest-hostkeys.service
\ No newline at end of file
diff -Nru ec2-instance-connect-1.1.14/src/ec2-instance-connect.preset ec2-instance-connect-1.1.17/src/ec2-instance-connect.preset
--- ec2-instance-connect-1.1.14/src/ec2-instance-connect.preset	2021-03-16 15:57:25.000000000 +0100
+++ ec2-instance-connect-1.1.17/src/ec2-instance-connect.preset	1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-enable ec2-instance-connect.service
diff -Nru ec2-instance-connect-1.1.14/src/rpm_systemd/ec2-instance-connect-harvest-hostkeys.service ec2-instance-connect-1.1.17/src/rpm_systemd/ec2-instance-connect-harvest-hostkeys.service
--- ec2-instance-connect-1.1.14/src/rpm_systemd/ec2-instance-connect-harvest-hostkeys.service	1970-01-01 01:00:00.000000000 +0100
+++ ec2-instance-connect-1.1.17/src/rpm_systemd/ec2-instance-connect-harvest-hostkeys.service	2022-05-09 23:10:36.000000000 +0200
@@ -0,0 +1,14 @@
+[Unit]
+Description=EC2 Instance Connect Host Key Harvesting
+After=network.target sshd-keygen.service
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+Type=oneshot
+# Prefixing the ExecStart executable with a '-' ignores any failure exit codes and considers it a success
+# This is to avoid issues with the host key harvesting script during system startup
+# and not leave the system in a degraded state.
+# See Table 1 under ExecStart= for details https://www.freedesktop.org/software/systemd/man/systemd.service.html
+ExecStart=-/opt/aws/bin/eic_harvest_hostkeys
diff -Nru ec2-instance-connect-1.1.14/src/rpm_systemd/ec2-instance-connect.service ec2-instance-connect-1.1.17/src/rpm_systemd/ec2-instance-connect.service
--- ec2-instance-connect-1.1.14/src/rpm_systemd/ec2-instance-connect.service	2021-03-16 15:57:25.000000000 +0100
+++ ec2-instance-connect-1.1.17/src/rpm_systemd/ec2-instance-connect.service	1970-01-01 01:00:00.000000000 +0100
@@ -1,15 +0,0 @@
-[Unit]
-Description=EC2 Instance Connect Host Key Harvesting
-Before=sshd.service
-After=network.target sshd-keygen.service
-
-[Install]
-WantedBy=multi-user.target
-
-[Service]
-Type=oneshot
-# Prefixing the ExecStart executable with a '-' ignores any failure exit codes and considers it a success
-# This is to avoid issues with the host key harvesting script during system startup
-# and not leave the system in a degraded state.
-# See Table 1 under ExecStart= for details https://www.freedesktop.org/software/systemd/man/systemd.service.html
-ExecStart=-/opt/aws/bin/eic_harvest_hostkeys
diff -Nru ec2-instance-connect-1.1.14/VERSION ec2-instance-connect-1.1.17/VERSION
--- ec2-instance-connect-1.1.14/VERSION	2021-03-16 15:57:25.000000000 +0100
+++ ec2-instance-connect-1.1.17/VERSION	2022-05-09 23:10:36.000000000 +0200
@@ -1 +1 @@
-1.1-14
+1.1-17
\ No newline at end of file