Thanks Wim.
On Tue, Apr 8, 2014 at 10:36 PM, Wim Lewis <w...@omnigroup.com> wrote: > > On 8 Apr 2014, at 7:14 PM, Chris Hill wrote: > > Team, I am having a discussions with a few friends about why this > OpenSSL vuln (CVE 2014-0160) does not affect SSH. This may be TOO basic for > many of you (apologize in advance), but can't think of any other way to > prove my point other than speaking to the folks who really know (that's u). > Or maybe I am the one wrong, wouldn't be the first time ;). > > > > A quick response to my frieds could be simply diffing the files for the > actual OpenSSL change, e.g. ssl/d1_both.c and ssl/t1_lib.c, but I want a > more classy answer. > > > > Is the below ok or am I completely off? > > > > Thank you in advance > > > > SSH and SSL/TLS are simply different protocols (doh). They may share > some similar underlying crypto implementations, but as of their respective > RFCs, they are just different protocols. The TLS Heartbeat TLS extension > would not apply to SSH. SSH "may" have its own way to keep alive, but that > would be a different one. > > > > Chris. > > This is correct as I understand it. ssh uses openssl mostly for crypto > operations, but the ssh protocol does not have anything in common with > ssl/tls (other than some fairly general design aspects). The heartbeat bug > is particular to the openssl implementation of the heartbeat feature in > tls, and that code isn't used by openssh. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
