Openssl 3

Thomas Dwyer III tomiii at
Fri Aug 14 01:33:25 AEST 2020

For what it's worth, the latest changes in OpenSSL 3.0 (specifically, PR
#12233) in combination with this patch fixed the non-GCM ciphers for me:

Index: openssh-8.0p1/cipher.c
--- openssh-8.0p1/cipher.c (revision 136940)
+++ openssh-8.0p1/cipher.c (working copy)
@@ -594,7 +594,7 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char
  if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
    len, iv))
- } else if (!EVP_CIPHER_CTX_get_iv(cc->evp, iv, len))
+ } else if (!EVP_CIPHER_CTX_get_iv_state(cc->evp, iv, len))
  return 0;


>On Fri, 24 Jul 2020 at 22:46, The Doctor <doctor at>
>> Anyone trying openssl 3 against openssh?
>I used to test OpenSSH head against OpenSSL head but it was broken
>enough that I didn't have time to keep up and I ended up giving up.
>Here's what I found as of a few months ago in case it provides any
>clues, I have not attempted since then:
>Several months ago a commit to OpenSSL head broke OpenSSH Portable's
>AES-GCM ciphers.  I didn't have time to look at this for a while, and
>by the time I did there were at least 2 other unrelated breakages that
>muddied the waters sufficiently that I never got to the bottom of it.
>I tried retesting at the hackathon and didn't get the results I
>expected: now the GCM ones worked and the NON-GCM ones didn't
>After some clues from tb and a lot of time bisecting I have identified
>commits #1 and #3 below as the likely culprits.  I don't know if they
>or we are doing the wrong thing.  Can anyone tell me?

More information about the openssh-unix-dev mailing list