On Sat, Feb 10, 2018 at 10:19:20PM +0000, Salz, Rich wrote:

>     > Is blowfish actually outdated?  I thought it had some significant use,
>     > and don't recall any major weakness...
>     In particular, IIRC OpenSSH uses blowfish, and links to OpenSSL for
>     the underlying cipher...
> PGP use to be a heavy user, but now it only decrypts or does key-wrapping for 
> compatibility; it no longer uses blowfish to encrypt data.
> SSH uses it, but according to 
> https://bbs.archlinux.org/viewtopic.php?id=188613 it has been removed, circa 
> 2014.
> Schneier recommends not using it, and use its successor(s) instead, which we 
> don't implement.

Removed in 2014 is much too recent, there are still LTS systems
with older SSH versions, and modern platforms that may want to
interoperate.  So I'm very reluctant to support removal of blowfish
ASM at this time...

openssl-project mailing list

Reply via email to