On 8 Apr 2014, at 7:14 PM, Chris Hill wrote: > Team, I am having a discussions with a few friends about why this OpenSSL > vuln (CVE 2014-0160) does not affect SSH. This may be TOO basic for many of > you (apologize in advance), but can't think of any other way to prove my > point other than speaking to the folks who really know (that's u). Or maybe I > am the one wrong, wouldn't be the first time ;). > > A quick response to my frieds could be simply diffing the files for the > actual OpenSSL change, e.g. ssl/d1_both.c and ssl/t1_lib.c, but I want a more > classy answer. > > Is the below ok or am I completely off? > > Thank you in advance > > SSH and SSL/TLS are simply different protocols (doh). They may share some > similar underlying crypto implementations, but as of their respective RFCs, > they are just different protocols. The TLS Heartbeat TLS extension would not > apply to SSH. SSH "may" have its own way to keep alive, but that would be a > different one. > > Chris.
This is correct as I understand it. ssh uses openssl mostly for crypto operations, but the ssh protocol does not have anything in common with ssl/tls (other than some fairly general design aspects). The heartbeat bug is particular to the openssl implementation of the heartbeat feature in tls, and that code isn't used by openssh. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
