Date: Sat, 02 Mar 2013 09:27:11 -0700 From: Ian Lepore <ian@FreeBSD.org> To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= <des@des.no> Cc: stable@FreeBSD.org, svn-src-stable-9@FreeBSD.org Subject: Re: svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd Message-ID: <1362241631.1195.147.camel@revolution.hippie.lan> In-Reply-To: <86r4jxrdrx.fsf@ds4.des.no> References: <201302281843.r1SIhoaq004371@svn.freebsd.org> <5130D8E0.3020605@sentex.net> <5130E9F1.6050308@sentex.net> <867glqsy4q.fsf@ds4.des.no> <513108C4.10501@sentex.net> <8638wesvu1.fsf@ds4.des.no> <51316CA3.8000301@sentex.net> <86r4jxrdrx.fsf@ds4.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 2013-03-02 at 17:02 +0100, Dag-Erling Sm=F8rgrav wrote: > Mike Tancsa <mike@sentex.net> writes: > > The pcaps and basic wireshark output at > > > > http://tancsa.com/openssh/ >=20 > This is 6.1 with aesni vs 6.1 without aesni; what I wanted was 6.1 vs > 5.8, both with aesni loaded. >=20 > Could you also ktrace the server in both cases? >=20 > An easy workaround is to change the list of ciphers the server will > offer to clients by adding a "Ciphers" line in /etc/ssh/sshd_config. > The default is: >=20 > Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-c= bc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour >=20 > Either remove the AES entries or move them further down the list. The > client will normally pick the first supported cipher. As far as I can > tell, SecureCRT supports all the same ciphers that OpenSSH does, so jus= t > moving arcfour{256,128} to the front of the list should work. >=20 > (AFAIK, arcfour is also much faster than aes) The last time I tried to affect the chosen cypher by manipulating the order of the list items in the config files was a couple years ago, but I found then that you just can't do that. The client side, not the server, decides on the order, and it's based on compiled-in ordering within the client code (not the client config). From the server side the only thing you can do to affect the order is leave items out of the list (it will still try the remaining list items in the client-requested order). All of this was with "OpenSSH_5.4p1_hpn13v11 FreeBSD-20100308, OpenSSL 0.9.8q 2 Dec 2010" and may be completely out of date now. -- Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1362241631.1195.147.camel>