Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 5 Mar 2003 16:47:47 -0600
From:      "Jacques A. Vidrine" <nectar@FreeBSD.org>
To:        Julian Elischer <julian@elischer.org>
Cc:        hackers@freebsd.org
Subject:   Re: ssh/ssl linkage
Message-ID:  <20030305224747.GA71781@madman.celabo.org>
In-Reply-To: <Pine.BSF.4.21.0303051408280.61509-100000@InterJet.elischer.org> <Pine.BSF.4.21.0303051350510.61509-100000@InterJet.elischer.org>
References:  <Pine.BSF.4.21.0303051350510.61509-100000@InterJet.elischer.org> <Pine.BSF.4.21.0303051408280.61509-100000@InterJet.elischer.org> <Pine.BSF.4.21.0303051350510.61509-100000@InterJet.elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Mar 05, 2003 at 01:55:14PM -0800, Julian Elischer wrote:
> 
> OpenSSH uses openssl to a great extent, however when you do
[ ... ]
> so my question is:
> how is the connection made to libssl?
> is it via libcrypto?
> is it statically built into the ssh binary?

OpenSSH doesn't actually use SSL/TLS (libssl).  It only uses the
general cryptography library of OpenSSL (libcrypto).

> If I upgrade openssl due to teh security upgrade, 
> should I recompile ssh as well?

Yes, you must.  (See below.)


On Wed, Mar 05, 2003 at 02:10:45PM -0800, Julian Elischer wrote:
> to answer myself a bit..
> It looks like openssl generates two parts:
> libcrypto and libssl

Right.

> If I upgrade openssl,
> I should make a new libcrypto and libssl
> and since ssh uses only libcrypto, I should not need to 
> upgrade ssh..

I assume you mean `rebuild' rather than `upgrade'.
 
> If I'm wrong.. let me know :-)

You are wrong, but it's not your fault :-)  OpenSSH specifically
checks the version of OpenSSL which it finds at runtime, and if it
does not match the version it found at build-time, then it barfs
with
  "OpenSSL version mismatch. Built against FOO, you have BAR"

The OpenSSH guys don't trust that the semantics of the API stay the
same across releases, even if the ABI stays the same.  I guess I
cannot blame them for this extra paranoia.

Cheers,
-- 
Jacques A. Vidrine <nectar@celabo.org>          http://www.celabo.org/
NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
jvidrine@verio.net     .  nectar@FreeBSD.org  .          nectar@kth.se

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030305224747.GA71781>