Hi, In the context Fedora we are looking at various ways for applications to get a reasonable and adjustable default policy for crypto ciphers and parameters. Our goal is to be able to disable ciphers system-wide when necessary, without going through all possible applications. So far we have succeeded with the TLS libs, though with different approaches. With openssl and gnutls we apply a default config to all applications, unless the applications explicitly override that.
Now getting on libssh, what would be the best way to achieve the same thing? libssh provides ssh_options_parse_config() [0] but applications are expected to call it explicitly, meaning that we cannot assume that all apps follow the system's global config (/etc/ssh/ssh_config). Furthermore, on server side, libssh doesn't provide something equivalent. Would it make sense for libssh to apply some global configuration about enabled ciphers (e.g., from /etc/) unconditionally on server or client side? Would such a feature be acceptable? regards, Nikos [0]. http://api.libssh.org/master/group__libssh__session.html#ga82371e723260c7572ea061edecc2e9f1