openssh and SSLv2 ciphers

Smith, Steven G (Steven) smithsg at avaya.com
Sat Feb 28 07:20:30 EST 2009


Thanks again to everyone who replied.  Maybe I should give a better
explanation for my question.  We are avoiding the use of SSLv2 ciphers
in our products.  Previously, I did this by recompiling openssl with the
"no-ssl2" flag to make sure these ciphers were completely unusable.
Unfortunately, this created a nightmare of having to recompile many
other RPMs (we are using RHEL 4 and RHEL 5).  Just recompiling would not
be that bad with SRPMs, but frequently code changes need to be made as
well to remove flags and function calls that are no longer existent in
the "hardened" openssl libraries.  

Instead, I am trying to see which applications have configuration
options (such as httpd) to avoid using SSLv2.  I know I can configure
openssh to use certain ciphers, but I am having a hard time determining
where the ciphers actually come from.  Additionally, maybe the SSLv2
vulnerabilities would not really affect an openssh connection anyway.

Perhaps an option would be to recompile openssl without support for the
SSLv2 ciphers, but still have the SSLv2 methods and flags hang around
for compatibility with these other programs.  I am not sure how much
work that would be.  

If you have any other ideas, I would be interested in hearing them.  

Thanks,
Steven


> -----Original Message-----
> From: Damien Miller [mailto:djm at mindrot.org]
> Sent: Thursday, February 26, 2009 3:14 PM
> To: Smith, Steven G (Steven)
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: openssh and SSLv2 ciphers
> 
> On Thu, 26 Feb 2009, Smith, Steven G (Steven) wrote:
> 
> > Hi,
> >
> > I am trying to confirm that openssh transmissions do not use any
kind
> > of SSLv2 ciphers. I have glanced through the code briefly, and I did
> > not find any indication that any openssl ciphers are even being used
> > (it appears that openssl is used primarily for RSA key generation
> > and select other things). So openssh uses its own built-in ciphers
> > instead, right?
> 
> OpenSSH can use some of the same ciphers as SSLv2, and these ciphers
> come from OpenSSL's libcrypto library but they are used somewhat
> differently to SSL. Indeed, OpenSSL's actual SSL/TLS library (libssl)
is
> separate to its crypto library.
> 
> -d


More information about the openssh-unix-dev mailing list