Thanks for the responses. I ended up editing our Openssh install script so it will check Red Hat versions and install 6.6p1 on Red Hat 5 and 6.7p1 on 6 and 7 systems. David Flatley From: Damien Miller <djm@xxxxxxxxxxx> To: Nico Kadel-Garcia <nkadel@xxxxxxxxx>, Cc: David Flatley/Burlington/IBM@IBMUS, "openssh-unix-dev@xxxxxxxxxxx" <openssh-unix-dev@xxxxxxxxxxx> Date: 11/20/2014 10:19 PM Subject: Re: Fw: version question On Thu, 20 Nov 2014, Nico Kadel-Garcia wrote: > On Thu, Nov 20, 2014 at 9:31 PM, Damien Miller <djm@xxxxxxxxxxx> > wrote: > On Wed, 19 Nov 2014, Nico Kadel-Garcia wrote: > >> Use > 6.6p1, or consider patching the check for openssl version in >> > openbsd-compat/openssl-compat.h to ignore the failure, on the basis >> > that RHEL has been backporting patches to openssl for RHEL 5.. > > Do > you understand why that check exists in the first place? > > That's why I asked. Maybe you should ask _before_ recommending people disable checks in their security software. > A bit more digging shows that the HeartBleed bug apparently never > applied to 0.9.8 versions of OpenSSL, the version used in RHEL 5, so > that shouldn't be an issue there. OpenSSH version 6.6 was indeed, > compatible with that older OpenSSL on RHEL 5, I even just tested its > basic functionalit, so I assume it's not a major API incompatibility > introduced with OpenSSH 6.7p1. It has nothing to do with heartbleed - that is an SSL bug that doesn't affect OpenSSH at all. OpenSSL made a small API change in their 0.9.8 stable series that we previously carried a compat hack for. The impact of not having this hack is that EVP_CIPHER_CTX_key_length() returns an incorrect length. This could cause connection problems or possibly insecurity in sshd. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev