[Bug 1550] Move from 3DES to AES-256 for private key encryption

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Jan 23 07:56:08 EST 2009


--- Comment #5 from Jim Knoble <jmknoble at pobox.com>  2009-01-23 07:56:07 ---
Date: Wed, 21 Jan 2009 16:01:35 +1100 (EST)
From: Damien Miller <djm at mindrot.org>
To: Darren Tucker <dtucker at zip.com.au>
Subject: Re: OpenSSH private key encryption: time for AES?
In-Reply-To: <4976A70C.2020305 at zip.com.au>
Message-ID: <alpine.BSO.1.10.0901211556540.5581 at fuyu.mindrot.org>
References: <20090120060635.GA29074 at crawfish.ais.com>
 <alpine.BSO.1.10.0901201822540.5492 at fuyu.mindrot.org>
 <20090121014237.GD29074 at crawfish.ais.com>
 <alpine.BSO.1.10.0901211509560.5581 at fuyu.mindrot.org>
 <4976A70C.2020305 at zip.com.au>
Cc: Jim Knoble <jmknoble at pobox.com>, OpenSSH Devel
 <openssh-unix-dev at mindrot.org>

On Wed, 21 Jan 2009, Darren Tucker wrote:

> Damien Miller wrote:
> [...]
> > If we change then it should be to the best encryption that is supported by
> > widely deployed SSL/OpenSSH versions.
> Don't forget some versions of the Solaris 10 OpenSSL package cripple all 
> ciphers with a key length >128 bits.  We work around that for the SSH 
> ciphers but that's not going to help for the OpenSSL PEM functions.

Shouldn't this Just Work with our replacement EVP_aes_256_cbc in
cipher-aes.c? We already switch it on for the OPENSSL_LOBOTOMISED_AES
case (Obviously it would need to be tested...)


Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list