openssh and SSLv2 ciphers

Damien Miller djm at mindrot.org
Sat Feb 28 09:34:34 EST 2009


Like I said, SSL's use of ciphers is completely separate to OpenSSH's,
so I can think of no reason why compiling OpenSSL with no-ssl2 would
affect OpenSSH in any way.

On Fri, 27 Feb 2009, Smith, Steven G (Steven) wrote:

> Thanks again to everyone who replied.  Maybe I should give a better
> explanation for my question.  We are avoiding the use of SSLv2 ciphers
> in our products.  Previously, I did this by recompiling openssl with the
> "no-ssl2" flag to make sure these ciphers were completely unusable.
> Unfortunately, this created a nightmare of having to recompile many
> other RPMs (we are using RHEL 4 and RHEL 5).  Just recompiling would not
> be that bad with SRPMs, but frequently code changes need to be made as
> well to remove flags and function calls that are no longer existent in
> the "hardened" openssl libraries.  
> 
> Instead, I am trying to see which applications have configuration
> options (such as httpd) to avoid using SSLv2.  I know I can configure
> openssh to use certain ciphers, but I am having a hard time determining
> where the ciphers actually come from.  Additionally, maybe the SSLv2
> vulnerabilities would not really affect an openssh connection anyway.
> 
> Perhaps an option would be to recompile openssl without support for the
> SSLv2 ciphers, but still have the SSLv2 methods and flags hang around
> for compatibility with these other programs.  I am not sure how much
> work that would be.  
> 
> If you have any other ideas, I would be interested in hearing them.  
> 
> Thanks,
> Steven
> 
> 
> > -----Original Message-----
> > From: Damien Miller [mailto:djm at mindrot.org]
> > Sent: Thursday, February 26, 2009 3:14 PM
> > To: Smith, Steven G (Steven)
> > Cc: openssh-unix-dev at mindrot.org
> > Subject: Re: openssh and SSLv2 ciphers
> > 
> > On Thu, 26 Feb 2009, Smith, Steven G (Steven) wrote:
> > 
> > > Hi,
> > >
> > > I am trying to confirm that openssh transmissions do not use any
> kind
> > > of SSLv2 ciphers. I have glanced through the code briefly, and I did
> > > not find any indication that any openssl ciphers are even being used
> > > (it appears that openssl is used primarily for RSA key generation
> > > and select other things). So openssh uses its own built-in ciphers
> > > instead, right?
> > 
> > OpenSSH can use some of the same ciphers as SSLv2, and these ciphers
> > come from OpenSSL's libcrypto library but they are used somewhat
> > differently to SSL. Indeed, OpenSSL's actual SSL/TLS library (libssl)
> is
> > separate to its crypto library.
> > 
> > -d
> 


More information about the openssh-unix-dev mailing list