[Bug 2040] Downgrade attack vulnerability when checking SSHFP records

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Aug 31 19:33:25 EST 2012


https://bugzilla.mindrot.org/show_bug.cgi?id=2040

--- Comment #2 from Ondřej Caletka <ondrej at caletka.cz> ---
(In reply to comment #1)
> Created attachment 2184 [details]
> Handle future digest types correctly
> 
> When testing, I also found out that when a SSHFP record for the host
> uses digest type other than SHA1 or SHA256, the SSHFP check fails
> even if SHA1 or SHA256 matches the offered host key.
> 
> This patch changes this behavior to ignore future digest types.

Feel free to test it using 
ssh -vv -o VerifyHostKeyDNS=yes -o
HostKeyAlgorithms=ecdsa-sha2-nistp521 sshfp-test-newdigest.oskarcz.net

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list