From owner-svn-src-stable-9@FreeBSD.ORG Sat Mar 2 16:27:15 2013 Return-Path: Delivered-To: svn-src-stable-9@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 475CAA88; Sat, 2 Mar 2013 16:27:15 +0000 (UTC) (envelope-from ian@FreeBSD.org) Received: from mho-02-ewr.mailhop.org (mho-04-ewr.mailhop.org [204.13.248.74]) by mx1.freebsd.org (Postfix) with ESMTP id 05ED0678; Sat, 2 Mar 2013 16:27:14 +0000 (UTC) Received: from c-24-8-232-202.hsd1.co.comcast.net ([24.8.232.202] helo=damnhippie.dyndns.org) by mho-02-ewr.mailhop.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1UBpHF-000N3H-VK; Sat, 02 Mar 2013 16:27:14 +0000 Received: from [172.22.42.240] (revolution.hippie.lan [172.22.42.240]) by damnhippie.dyndns.org (8.14.3/8.14.3) with ESMTP id r22GRBxN088623; Sat, 2 Mar 2013 09:27:11 -0700 (MST) (envelope-from ian@FreeBSD.org) X-Mail-Handler: Dyn Standard SMTP by Dyn X-Originating-IP: 24.8.232.202 X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/sendlabs/outbound_abuse.html for abuse reporting information) X-MHO-User: U2FsdGVkX1+buk0cLfBHxLJBGaxN4Agd Subject: Re: svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd From: Ian Lepore To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= In-Reply-To: <86r4jxrdrx.fsf@ds4.des.no> References: <201302281843.r1SIhoaq004371@svn.freebsd.org> <5130D8E0.3020605@sentex.net> <5130E9F1.6050308@sentex.net> <867glqsy4q.fsf@ds4.des.no> <513108C4.10501@sentex.net> <8638wesvu1.fsf@ds4.des.no> <51316CA3.8000301@sentex.net> <86r4jxrdrx.fsf@ds4.des.no> Content-Type: text/plain; charset="ISO-8859-1" Date: Sat, 02 Mar 2013 09:27:11 -0700 Message-ID: <1362241631.1195.147.camel@revolution.hippie.lan> Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by damnhippie.dyndns.org id r22GRBxN088623 Cc: stable@FreeBSD.org, svn-src-stable-9@FreeBSD.org X-BeenThere: svn-src-stable-9@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for only the 9-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Mar 2013 16:27:15 -0000 On Sat, 2013-03-02 at 17:02 +0100, Dag-Erling Sm=F8rgrav wrote: > Mike Tancsa writes: > > The pcaps and basic wireshark output at > > > > http://tancsa.com/openssh/ >=20 > This is 6.1 with aesni vs 6.1 without aesni; what I wanted was 6.1 vs > 5.8, both with aesni loaded. >=20 > Could you also ktrace the server in both cases? >=20 > An easy workaround is to change the list of ciphers the server will > offer to clients by adding a "Ciphers" line in /etc/ssh/sshd_config. > The default is: >=20 > Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-c= bc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour >=20 > Either remove the AES entries or move them further down the list. The > client will normally pick the first supported cipher. As far as I can > tell, SecureCRT supports all the same ciphers that OpenSSH does, so jus= t > moving arcfour{256,128} to the front of the list should work. >=20 > (AFAIK, arcfour is also much faster than aes) The last time I tried to affect the chosen cypher by manipulating the order of the list items in the config files was a couple years ago, but I found then that you just can't do that. The client side, not the server, decides on the order, and it's based on compiled-in ordering within the client code (not the client config). From the server side the only thing you can do to affect the order is leave items out of the list (it will still try the remaining list items in the client-requested order). All of this was with "OpenSSH_5.4p1_hpn13v11 FreeBSD-20100308, OpenSSL 0.9.8q 2 Dec 2010" and may be completely out of date now. -- Ian