From owner-freebsd-stable@FreeBSD.ORG  Sat Mar  2 16:02:11 2013
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id DA1C0F09;
 Sat,  2 Mar 2013 16:02:11 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id 8ED8A326;
 Sat,  2 Mar 2013 16:02:11 +0000 (UTC)
Received: from ds4.des.no (smtp.des.no [194.63.250.102])
 by smtp-int.des.no (Postfix) with ESMTP id 9B2A876CE;
 Sat,  2 Mar 2013 16:02:10 +0000 (UTC)
Received: by ds4.des.no (Postfix, from userid 1001)
 id 625A39DB1; Sat,  2 Mar 2013 17:02:10 +0100 (CET)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Mike Tancsa <mike@sentex.net>
Subject: Re: svn commit: r247485 - in stable/9: crypto/openssh
 crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd
References: <201302281843.r1SIhoaq004371@svn.freebsd.org>
 <5130D8E0.3020605@sentex.net> <5130E9F1.6050308@sentex.net>
 <867glqsy4q.fsf@ds4.des.no> <513108C4.10501@sentex.net>
 <8638wesvu1.fsf@ds4.des.no> <51316CA3.8000301@sentex.net>
Date: Sat, 02 Mar 2013 17:02:10 +0100
In-Reply-To: <51316CA3.8000301@sentex.net> (Mike Tancsa's message of "Fri, 01
 Mar 2013 22:06:11 -0500")
Message-ID: <86r4jxrdrx.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: stable@freebsd.org, svn-src-stable-9@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Mar 2013 16:02:11 -0000

Mike Tancsa <mike@sentex.net> writes:
> The pcaps and basic wireshark output at
>
> http://tancsa.com/openssh/

This is 6.1 with aesni vs 6.1 without aesni; what I wanted was 6.1 vs
5.8, both with aesni loaded.

Could you also ktrace the server in both cases?

An easy workaround is to change the list of ciphers the server will
offer to clients by adding a "Ciphers" line in /etc/ssh/sshd_config.
The default is:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3=
des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour

Either remove the AES entries or move them further down the list.  The
client will normally pick the first supported cipher.  As far as I can
tell, SecureCRT supports all the same ciphers that OpenSSH does, so just
moving arcfour{256,128} to the front of the list should work.

(AFAIK, arcfour is also much faster than aes)

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no