Bookmark and Share

Recent Posts

OpenSSH Built on LibreSSL

April 26, 2015

Last year, OpenSSL got a lot of bad press – and some felt very deserved bad press. These were addressed by the OpenSSL developers and we have newer versions that have patched these “concerns.”

Another group of developers (OpenBSD) is much more critical of the current state of OpenSSL – even after the patches – because they feel there are inherent problems with the way OpenSSL has developed. They took the course of “putting their money where their mouth is” and started their own branch of OpenSSL – naming it “LibreSSL.”

I first noticed LibreSSL in December 2014. To my dismay, there was no AIX in portable. So I got involved, from the sidelines, hoping to get AIX – sooner rather than later -“officially” into libressl-portable. Currently, OpenBSD is working on version libressl-2.2.0 and AIX is included in the trunk – so while I will have a pseudo release candidate based on the latest release (libressl-2.1.6), AIX will be official when version 2.2.0 is released.
Wasn't This About OpenSSH!?
Another project of OpenBSD is maintaining OpenSSH. They have frequent updates – and as I have recently learned – version 6.8 could just as well be version 68. They are not labeling new features or specific changes in directions based on some “version.release.modification” numbering scheme. 6.8 is not 6.7, is not 6.6, etc. To know the differences, you need to read the release notes. More specifically, they are not coming with a new release – on purpose - to fix any CVE. From some email exchanges, I get the impression they would consider that much too late. My paraphrase is: we fix things as we find them (and we tend to find and fix things before they are reported to us). The other important point here: no maintenance is done on old releases. Their plan is use the newest release. If you find the same problem there, tell us and we will fix it.
AIX and OpenSSH
The latest OpenSSH released via IBM may have the latest CVE with regard to OpenSSH released – but this release (v6.0) is not the release OpenBSD has looked at for years. So, to help out, I have a two packages of the latest release of OpenSSH available on aixtools.
1. OpenSSH based on OpenSSL

OpenSSH- (aka openssh-6.8p1) can be found at its project page or via this direct link to package. The nice thing about this new version is it is one size fits all (given that AIX 5.3 TL7 is the lowest/oldest level of AIX you can install it on) if you have the latest version of openssl.base for your level of AIX.

 2. OpenSSH based on LibreSSL

For the curious/daring, I have also created a version of OpenSSH linked against LibreSSL. Like the OpenSSL version above it puts it files in /opt/* and can be installed in parallel with the AIX (i.e., IBM version) version of OpenSSH. The only external difference is the name of the package. The OpenSSH package is named aixtools.libressl.openssh rather the aixtools.openbsd.openssh. Find it at the libreSSL project page  or the libreSSH project page.  You can also find the installp packages at and .
To learn if this is important to you, I recommend you take a little time and look at the OpenBSD portal pages for OpenSSH and LibreSSL – or minimally the openssh-release-notes and libressl-release-notes.

Posted April 26, 2015 | Permalink

Post a Comment

Note: Comments are moderated and will not appear until approved

comments powered by Disqus