Date: Sat, 02 Mar 2013 11:07:07 -0500 From: Mike Tancsa <mike@sentex.net> To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= <des@des.no> Cc: stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: Re: svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd Message-ID: <513223AB.8080409@sentex.net> In-Reply-To: <86r4jxrdrx.fsf@ds4.des.no> References: <201302281843.r1SIhoaq004371@svn.freebsd.org> <5130D8E0.3020605@sentex.net> <5130E9F1.6050308@sentex.net> <867glqsy4q.fsf@ds4.des.no> <513108C4.10501@sentex.net> <8638wesvu1.fsf@ds4.des.no> <51316CA3.8000301@sentex.net> <86r4jxrdrx.fsf@ds4.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/2/2013 11:02 AM, Dag-Erling Smørgrav wrote: > Mike Tancsa <mike@sentex.net> writes: >> The pcaps and basic wireshark output at >> >> http://tancsa.com/openssh/ > > This is 6.1 with aesni vs 6.1 without aesni; what I wanted was 6.1 vs > 5.8, both with aesni loaded. Ahh, ok. I will do it later this aft. > > Could you also ktrace the server in both cases? That was the daemon in both cases. ktrace /usr/sbin/sshd -dddd > > An easy workaround is to change the list of ciphers the server will > offer to clients by adding a "Ciphers" line in /etc/ssh/sshd_config. > The default is: > > Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour > > Either remove the AES entries or move them further down the list. The > client will normally pick the first supported cipher. As far as I can > tell, SecureCRT supports all the same ciphers that OpenSSH does, so just > moving arcfour{256,128} to the front of the list should work. > > (AFAIK, arcfour is also much faster than aes) Actually, I am just doing with a freebsd openssh client ssh -c aes128-cbc testhost-with-the-issue.sentex.ca Its for sure something to do with hardware crypto offload because it works fine with a cipher that is not accelerated. ---Mike > > DES -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?513223AB.8080409>