https://bugzilla.mindrot.org/show_bug.cgi?id=2040
Ondřej Caletka <ond...@caletka.cz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2183|0 |1 is obsolete| | --- Comment #4 from Ondřej Caletka <ond...@caletka.cz> --- Created attachment 2188 --> https://bugzilla.mindrot.org/attachment.cgi?id=2188&action=edit Fix downgrade attack vulnerability in handling SSHFP records I realized that only fingerprints for same key algorithm as sshd offered should be counted as found. Otherwise, it would reject SHA-1 SSHFP only because there is a SHA-256 SSHFP for another key algorithm. As usual, testcase is here, having only SHA-1 SSHFP for RSA Host key: $ ./ssh -vv -o HostKeyAlgorithms=ssh-rsa -o VerifyHostKeyDNS=yes sshfp-test-downgrade.oskarcz.net -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs