From owner-freebsd-stable@FreeBSD.ORG Sat Mar 2 16:06:49 2013 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 49FFF101; Sat, 2 Mar 2013 16:06:49 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id E7CCA35E; Sat, 2 Mar 2013 16:06:48 +0000 (UTC) Received: from [192.168.43.26] (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.5/8.14.5) with ESMTP id r22G6mQr044616; Sat, 2 Mar 2013 11:06:48 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <513223AB.8080409@sentex.net> Date: Sat, 02 Mar 2013 11:07:07 -0500 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= Subject: Re: svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd References: <201302281843.r1SIhoaq004371@svn.freebsd.org> <5130D8E0.3020605@sentex.net> <5130E9F1.6050308@sentex.net> <867glqsy4q.fsf@ds4.des.no> <513108C4.10501@sentex.net> <8638wesvu1.fsf@ds4.des.no> <51316CA3.8000301@sentex.net> <86r4jxrdrx.fsf@ds4.des.no> In-Reply-To: <86r4jxrdrx.fsf@ds4.des.no> X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.72 on 64.7.153.18 Cc: stable@freebsd.org, svn-src-stable-9@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Mar 2013 16:06:49 -0000 On 3/2/2013 11:02 AM, Dag-Erling Smørgrav wrote: > Mike Tancsa writes: >> The pcaps and basic wireshark output at >> >> http://tancsa.com/openssh/ > > This is 6.1 with aesni vs 6.1 without aesni; what I wanted was 6.1 vs > 5.8, both with aesni loaded. Ahh, ok. I will do it later this aft. > > Could you also ktrace the server in both cases? That was the daemon in both cases. ktrace /usr/sbin/sshd -dddd > > An easy workaround is to change the list of ciphers the server will > offer to clients by adding a "Ciphers" line in /etc/ssh/sshd_config. > The default is: > > Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour > > Either remove the AES entries or move them further down the list. The > client will normally pick the first supported cipher. As far as I can > tell, SecureCRT supports all the same ciphers that OpenSSH does, so just > moving arcfour{256,128} to the front of the list should work. > > (AFAIK, arcfour is also much faster than aes) Actually, I am just doing with a freebsd openssh client ssh -c aes128-cbc testhost-with-the-issue.sentex.ca Its for sure something to do with hardware crypto offload because it works fine with a cipher that is not accelerated. ---Mike > > DES -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/