On Mon, Jul 13, 2015 at 6:58 PM, Kevin Oberman <[email protected]> wrote:
> Annoying! ssh has explicitly never used of OpenSSL. I just confirmed that
> it still does not. It does use gssapi and kerberos, so even though it makes
> no use of OpenSSL, it does use those two things which are not actually part
> of OpenSSL. If you check /usr/src/crypto/openssl, there is no gssapi or
> kerberos there. Both of these are in the heimdal sources. Looks to me like
> WITHOUT_OPENSSL
> is really without a few other things but NOT OpenSSL. Very weird.
>
Um? On most platforms OpenSSH uses OpenSSL's libcrypto. This was a FAQ
nearly everywhere when there was a bug in the SSL/TLS part of OpenSSL and
OpenSSH was updated as part of it ("no, OpenSSH is not vulnerable, but it
depends on OpenSSL's libcrypto; while that part was not buggy, it had to be
updated at the same time as the buggy TLS part").
--
brandon s allbery kf8nh sine nomine associates
[email protected] [email protected]
unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[email protected]"
