OpenSSH 3.4p1 and OpenSSL

Mark_A_Khan at Mark_A_Khan at
Tue Oct 14 07:14:31 EST 2003

Ladies and Gentlemen;
                                     I have multiple systems where all I 
can find is the OpenSSH 3.4p1 installed without the OpenSSL libraries. I 
have other systems that have OpenSSH3.4p1 with OpenSSL 0.9.6e and other systems with OpenSSH 3.6.1p1 and OpenSSL 0.9.7b installed. 
I am trying to respond to the following IAVA CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS 
Implementations Original issue date: October 1, 2003 
* OpenSSL versions prior to 0.9.7c and 0.9.6k 
* Multiple SSL/TLS implementations 
* SSLeay library

If someone could please take the time to answer the following questions, I 
would greatly appreciate it.
1. Does OpenSSH 3.4p1 need the OpenSSL libraries to encrypt the data so 
that it can't been seen?
2. If OpenSSH 3.4p1 does not need the OpenSSL libraries to encrypt the 
data so that it can't been seen, then what is the OpenSSL libraries used 
3. I installed the OpenSSH3.4p1 on a Solaris 8 system without the OpenSSL 
libraries. Once installed I was able to do the following:
1. Started snoop in a window. snoop port 22
1. I then executed the following command from another window : 
/usr/local/bin/ssh localhost -l mak
2. I logged in.
3. When I checked the snoop output there was nothing! 
What am I missing here? 
Should snoop have reported output even if it WAS or was NOT encrypted?
How can I find out what version of the OpenSSL libraries are being used by 
the OpenSSH?
How do I test OpenSSH to make sure it is using the OpenSSL libraries?
What are the OpenSSL libraries used for?
I have theorized (guessed) the following:
OpenSSH provides a somewhat generic encrypted secure "tunnel or 
connection" between systems.
OpenSSL provides a higher level or grade of encryption of the data being 
passed thru the "tunnel or connection" between the systems.
I am planning on updating the libraries on those systems that had previous 
version of OpenSSL mentioned above with the openssl 0.9.7c that is suppose 
to address the IAVA. Does this mean I will have to recompile the SSH 
software on those systems?

Any and all help would be greatly appreciated!

                       Mark Khan

More information about the openssh-unix-dev mailing list