[Bug 2040] Downgrade attack vulnerability when checking SSHFP records
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Aug 31 19:33:25 EST 2012
https://bugzilla.mindrot.org/show_bug.cgi?id=2040
--- Comment #2 from Ondřej Caletka <ondrej at caletka.cz> ---
(In reply to comment #1)
> Created attachment 2184 [details]
> Handle future digest types correctly
>
> When testing, I also found out that when a SSHFP record for the host
> uses digest type other than SHA1 or SHA256, the SSHFP check fails
> even if SHA1 or SHA256 matches the offered host key.
>
> This patch changes this behavior to ignore future digest types.
Feel free to test it using
ssh -vv -o VerifyHostKeyDNS=yes -o
HostKeyAlgorithms=ecdsa-sha2-nistp521 sshfp-test-newdigest.oskarcz.net
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list