On Wed, 2003-10-01 at 18:55, Greg Boehnlein wrote: > > certificate). As far as I understand, openssh only uses "crypto" part > > of the OpenSSL package, which probably makes it unaffected by the bugs > > in the "ssl" part. > > I think anything that exchanges certificates would be likely at risk.
The point is that SSH does not exchange x509 certificates. It has its own key exchange protocol. Probably(?) it is not ASN1 based. Anyway, "better safe than sorry"; and my message is not "don't upgrade", it's rather "don't panic" :-) Eugene P.S. OpenSSL consists of two layers: crypto and protocol(s). Crypto library implements, well, crypto algorithms (RSA, SHA, MD5, etc.). Strictly speaking, it has nothing to do with SSL itself. Protocol library (libssl) implements SSL protocol and crypto infrastructure things (x.509 certificates, CSR's etc.). Many packages that need cryptography use librcypto implementation from OpenSSL, despite they have absolutely nothing to do with SSL as a protocol. For example, NetSNMP. Others, like Apache or imapd, need SSL, and thus use both layers. _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
