Re: SSL vs. SSH in the context of CVE 2014-0160
Daniel Kahn Gillmor wrote: On 04/08/2014 11:08 PM, Chris Hill wrote: SSH and SSL/TLS are simply different protocols (doh). They may share some similar underlying crypto implementations, but as of their respective RFCs, they are just different protocols. The TLS Heartbeat TLS extension would not apply to SSH. The above is correct. SSH "may" have its own way to keep alive, but that would be a different implementation altogether. SSH does indeed have its own keepalive. Search for ServerAlive in ssh_config(5) and ClientAlive in sshd_config(5) if you want details. It is an entirely different mechanism from (D)TLS heartbeat. hope this helps, --dkg __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: SSL vs. SSH in the context of CVE 2014-0160
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 09/04/14 03:08, Chris Hill wrote: > (Meant to post this on OpenSSL dev, but sent it to user in error, > although I am getting some good answers there as well). > > Team, I am having a discussions with a few friends about why this > OpenSSL vuln (CVE 2014-0160) does not affect SSH. This may be TOO > basic for many of you (apologize in advance), but can't think of > any other way to prove my point other than speaking to the folks > who really know (that's u). Or maybe I am the one wrong, wouldn't > be the first time ;). OpenSSH uses libcrypto but not libssl. This vulnerability is in libssl. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIbBAEBCAAGBQJTRV+RAAoJEG6FTA+q1M6kqHcP+KbatymYMKD6VapINHaQ3JEJ NOMKf+GSRZVjsragZI23K7Y+Z49EKTAKgJx91nUoH5j0TIhUNJWDvcU+vJU8PhXK OHN18wBDPNuwQGyjL4S8Kmy8fSFbt4AR5SmRxOavJXU9XGy4/0rL/GVaysL8HvTO odLxM14w4ArQV0UZ9ETDALL91TI6H85OJxc/ldQQd/QxuR/vzfwGpvqkaLT8jujB wSxzXxajxG1gSB/NdP8B4tYyTN/bh20tROiPhLFiiIwLLCcbyHAdfbnzepYHJMXf tqIZWHLALBUnsSbF+PE9AzFRv9k9ncAMlLbXfH4+oIH1ks5DVoVoZXUeU8uSsKrE k06RpbxVF+ewxsSKrj6M1Ty95EvNS95vmFjWaFlnvCvLmfozec0tU05fnqbONzKV Eb4Gf02E5Ht14VmT6Vh+PQAVQlfk/egmvepHcs6o4zMFghY1fSOe8lE2DwEN88KD tXSud2DdSiwHnHRO3uiXAQqpc4YigtOxhtxtPw5dO+Gj8trFzECPhg7oa0tHjMWu onda+2NELMx6Q87nNyMeMAQcrEh4xdfZGiid4x/cDVkBEx88hKqK470EL2Qu7PjP KADlkE6LuG/URUIkd82UrvWzbJ96LTsgmWENnWzh9CrIaNnGzATOKWJO4u2yioNE /Ip1ALD6n8MYPFLXNAA= =X9YG -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: SSL vs. SSH in the context of CVE 2014-0160
Thanks for confirming, much appreciated! -chris On Wed, Apr 9, 2014 at 12:12 AM, Daniel Kahn Gillmor wrote: > On 04/08/2014 11:08 PM, Chris Hill wrote: > > SSH and SSL/TLS are simply different protocols (doh). They may share some > > similar underlying crypto implementations, but as of their respective > RFCs, > > they are just different protocols. The TLS Heartbeat TLS extension would > > not apply to SSH. > > The above is correct. > > > SSH "may" have its own way to keep alive, but that would > > be a different implementation altogether. > > SSH does indeed have its own keepalive. Search for ServerAlive in > ssh_config(5) and ClientAlive in sshd_config(5) if you want details. It > is an entirely different mechanism from (D)TLS heartbeat. > > hope this helps, > > --dkg > >
Re: SSL vs. SSH in the context of CVE 2014-0160
On 04/08/2014 11:08 PM, Chris Hill wrote: > SSH and SSL/TLS are simply different protocols (doh). They may share some > similar underlying crypto implementations, but as of their respective RFCs, > they are just different protocols. The TLS Heartbeat TLS extension would > not apply to SSH. The above is correct. > SSH "may" have its own way to keep alive, but that would > be a different implementation altogether. SSH does indeed have its own keepalive. Search for ServerAlive in ssh_config(5) and ClientAlive in sshd_config(5) if you want details. It is an entirely different mechanism from (D)TLS heartbeat. hope this helps, --dkg signature.asc Description: OpenPGP digital signature
