Thanks Wim.
On Tue, Apr 8, 2014 at 10:36 PM, Wim Lewis w...@omnigroup.com wrote:
On 8 Apr 2014, at 7:14 PM, Chris Hill wrote:
Team, I am having a discussions with a few friends about why this
OpenSSL vuln (CVE 2014-0160) does not affect SSH. This may be TOO basic for
many of you (apologize in advance), but can't think of any other way to
prove my point other than speaking to the folks who really know (that's u).
Or maybe I am the one wrong, wouldn't be the first time ;).
A quick response to my frieds could be simply diffing the files for the
actual OpenSSL change, e.g. ssl/d1_both.c and ssl/t1_lib.c, but I want a
more classy answer.
Is the below ok or am I completely off?
Thank you in advance
SSH and SSL/TLS are simply different protocols (doh). They may share
some similar underlying crypto implementations, but as of their respective
RFCs, they are just different protocols. The TLS Heartbeat TLS extension
would not apply to SSH. SSH may have its own way to keep alive, but that
would be a different one.
Chris.
This is correct as I understand it. ssh uses openssl mostly for crypto
operations, but the ssh protocol does not have anything in common with
ssl/tls (other than some fairly general design aspects). The heartbeat bug
is particular to the openssl implementation of the heartbeat feature in
tls, and that code isn't used by openssh.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org