September 28, 2015
A comment from a reader
(thanks again) reminded me about the compile/build option of no OpenSSL or libreSSL. And as he comments, this does simplify the maintenance of OpenSSH - one less library to support.
I noticed this flag with version OpenSSH-6.8, but only as an experimental flag and with limited crypto support. I did not release a package of openssh-6.8p1 with this flag for two core reasons: 1) because the internal tests failed - and I suspect that is/was the tests, not the application; and 2) uncertainty about how the limited crypto support would effect non-openssh-6.8p1 clients.
In short, as far as simplifying support, this is only one application. There are bigger concerns with OpenSSH as a server (for AIX) and the many, many possible ssh clients that are still being used.
Starting with OpenSSH-6.7p1, OpenBSD has been changing many of the defaults in OpenSSH – starting with the default crypto algorithms used to make a connection. If your client is “modern,” (e.g., the latest Putty client) then it would work without any problem. However, if you prefer as I do (soon to be did) a very old ssh client (mine is from 2003 and I am going to miss its user interface as the publisher no longer sells to individuals) then you would probably notice immediately that your ssh client is not compatible with “default” OpenSSH-6.7p1 and later. And the differences are greater starting with OpenSSH-7.0.
Considering that there is a coming ban on SSLv3, TLS1.0 and TLS1.1, clients depending on OpenSSL-0.9.8 will stop functioning soon now. It’s not enough to have a server that supports TLS1.2 - the client needs to as well. And the client also needs to support newer, stronger ciphers, key exchange and MACs (Message Auth Code).
The next nine months will see extensive updating to many applications that depend on cryptography - not just the libraries they depend on.
Posted September 28, 2015 | Permalink