From owner-freebsd-hackers  Wed Mar  5 14:47:50 2003
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6EFB237B401
	for <hackers@freebsd.org>; Wed,  5 Mar 2003 14:47:48 -0800 (PST)
Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BB54843FA3
	for <hackers@freebsd.org>; Wed,  5 Mar 2003 14:47:47 -0800 (PST)
	(envelope-from nectar@celabo.org)
Received: from madman.celabo.org (madman.celabo.org [10.0.1.111])
	by gw.nectar.cc (Postfix) with ESMTP
	id 4EDAC2E; Wed,  5 Mar 2003 16:47:47 -0600 (CST)
Received: by madman.celabo.org (Postfix, from userid 1001)
	id 2F51278C43; Wed,  5 Mar 2003 16:47:47 -0600 (CST)
Date: Wed, 5 Mar 2003 16:47:47 -0600
From: "Jacques A. Vidrine" <nectar@FreeBSD.org>
To: Julian Elischer <julian@elischer.org>
Cc: hackers@freebsd.org
Subject: Re: ssh/ssl linkage
Message-ID: <20030305224747.GA71781@madman.celabo.org>
References: <Pine.BSF.4.21.0303051350510.61509-100000@InterJet.elischer.org> <Pine.BSF.4.21.0303051408280.61509-100000@InterJet.elischer.org> <Pine.BSF.4.21.0303051350510.61509-100000@InterJet.elischer.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.BSF.4.21.0303051408280.61509-100000@InterJet.elischer.org> <Pine.BSF.4.21.0303051350510.61509-100000@InterJet.elischer.org>
X-Url: http://www.celabo.org/
User-Agent: Mutt/1.5.3i-ja.1
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

On Wed, Mar 05, 2003 at 01:55:14PM -0800, Julian Elischer wrote:
> 
> OpenSSH uses openssl to a great extent, however when you do
[ ... ]
> so my question is:
> how is the connection made to libssl?
> is it via libcrypto?
> is it statically built into the ssh binary?

OpenSSH doesn't actually use SSL/TLS (libssl).  It only uses the
general cryptography library of OpenSSL (libcrypto).

> If I upgrade openssl due to teh security upgrade, 
> should I recompile ssh as well?

Yes, you must.  (See below.)


On Wed, Mar 05, 2003 at 02:10:45PM -0800, Julian Elischer wrote:
> to answer myself a bit..
> It looks like openssl generates two parts:
> libcrypto and libssl

Right.

> If I upgrade openssl,
> I should make a new libcrypto and libssl
> and since ssh uses only libcrypto, I should not need to 
> upgrade ssh..

I assume you mean `rebuild' rather than `upgrade'.
 
> If I'm wrong.. let me know :-)

You are wrong, but it's not your fault :-)  OpenSSH specifically
checks the version of OpenSSL which it finds at runtime, and if it
does not match the version it found at build-time, then it barfs
with
  "OpenSSL version mismatch. Built against FOO, you have BAR"

The OpenSSH guys don't trust that the semantics of the API stay the
same across releases, even if the ABI stays the same.  I guess I
cannot blame them for this extra paranoia.

Cheers,
-- 
Jacques A. Vidrine <nectar@celabo.org>          http://www.celabo.org/
NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
jvidrine@verio.net     .  nectar@FreeBSD.org  .          nectar@kth.se

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message