Re: SSL vs. SSH in the context of CVE 2014-0160
Thanks Wim. On Tue, Apr 8, 2014 at 10:36 PM, Wim Lewis w...@omnigroup.com wrote: On 8 Apr 2014, at 7:14 PM, Chris Hill wrote: Team, I am having a discussions with a few friends about why this OpenSSL vuln (CVE 2014-0160) does not affect SSH. This may be TOO basic for many of you (apologize in advance), but can't think of any other way to prove my point other than speaking to the folks who really know (that's u). Or maybe I am the one wrong, wouldn't be the first time ;). A quick response to my frieds could be simply diffing the files for the actual OpenSSL change, e.g. ssl/d1_both.c and ssl/t1_lib.c, but I want a more classy answer. Is the below ok or am I completely off? Thank you in advance SSH and SSL/TLS are simply different protocols (doh). They may share some similar underlying crypto implementations, but as of their respective RFCs, they are just different protocols. The TLS Heartbeat TLS extension would not apply to SSH. SSH may have its own way to keep alive, but that would be a different one. Chris. This is correct as I understand it. ssh uses openssl mostly for crypto operations, but the ssh protocol does not have anything in common with ssl/tls (other than some fairly general design aspects). The heartbeat bug is particular to the openssl implementation of the heartbeat feature in tls, and that code isn't used by openssh. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL vs. SSH in the context of CVE 2014-0160
On 8 Apr 2014, at 7:14 PM, Chris Hill wrote: Team, I am having a discussions with a few friends about why this OpenSSL vuln (CVE 2014-0160) does not affect SSH. This may be TOO basic for many of you (apologize in advance), but can't think of any other way to prove my point other than speaking to the folks who really know (that's u). Or maybe I am the one wrong, wouldn't be the first time ;). A quick response to my frieds could be simply diffing the files for the actual OpenSSL change, e.g. ssl/d1_both.c and ssl/t1_lib.c, but I want a more classy answer. Is the below ok or am I completely off? Thank you in advance SSH and SSL/TLS are simply different protocols (doh). They may share some similar underlying crypto implementations, but as of their respective RFCs, they are just different protocols. The TLS Heartbeat TLS extension would not apply to SSH. SSH may have its own way to keep alive, but that would be a different one. Chris. This is correct as I understand it. ssh uses openssl mostly for crypto operations, but the ssh protocol does not have anything in common with ssl/tls (other than some fairly general design aspects). The heartbeat bug is particular to the openssl implementation of the heartbeat feature in tls, and that code isn't used by openssh. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
