Hello, I got a failure on configuring the master branch on Fedora 39: upstream/openssh-portable$ ./configure --disable-dsa .... checking OpenSSL header version... 30100010 (OpenSSL 3.1.1 30 May 2023) checking for OpenSSL_version... yes checking for OpenSSL_version_num... yes checking OpenSSL library version... configure: error: Unknown/unsupported OpenSSL version ("30100010 (OpenSSL 3.1.1 30 May 2023)") On Tue, Mar 5, 2024 at 1:26 AM Damien Miller <djm@xxxxxxxxxxx> wrote: > > Hi, > > OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via git using the > instructions at http://www.openssh.com/portable.html#cvs > At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to > openssh-unix-dev@xxxxxxxxxxx. Security bugs should be reported > directly to openssh@xxxxxxxxxxx. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Future deprecation notice > ========================= > > OpenSSH plans to remove support for the DSA signature algorithm in > early 2025 and compile-time disable it later this year. > > DSA, as specified in the SSHv2 protocol, is inherently weak - being > limited to a 160 bit private key and use of the SHA1 digest. Its > estimated security level is only 80 bits symmetric equivalent. > > OpenSSH has disabled DSA keys by default since 2015 but has retained > run-time optional support for them. DSA was the only mandatory-to- > implement algorithm in the SSHv2 RFCs[3], mostly because alternative > algorithms were encumbered by patents when the SSHv2 protocol was > specified. > > This has not been the case for decades at this point and better > algorithms are well supported by all actively-maintained SSH > implementations. We do not consider the costs of maintaining DSA in > OpenSSH to be justified and hope that removing it from OpenSSH can > accelerate its wider deprecation in supporting cryptography > libraries. > > This release makes DSA support in OpenSSH compile-time optional, > defaulting to on. We intend the next release to change the default > to disable DSA at compile time. The first OpenSSH release of 2025 > will remove DSA support entirely. > > Changes since OpenSSH 9.6 > ========================= > > This release contains mostly bugfixes. > > New features > ------------ > > * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches > all open channels and will close all open channels if there is no > traffic on any of them for the specified interval. This is in > addition to the existing per-channel timeouts added recently. > > This supports situations like having both session and x11 > forwarding channels open where one may be idle for an extended > period but the other is actively used. The global timeout could > close both channels when both have been idle for too long. > > * All: make DSA key support compile-time optional, defaulting to on. > > Bugfixes > -------- > > * sshd(8): don't append an unnecessary space to the end of subsystem > arguments (bz3667) > > * ssh(1): fix the multiplexing "channel proxy" mode, broken when > keystroke timing obfuscation was added. (GHPR#463) > > * ssh(1), sshd(8): fix spurious configuration parsing errors when > options that accept array arguments are overridden (bz3657). > > * Many fixes to manual pages and other documentation, including > GHPR#462, GHPR#454, GHPR#442 and GHPR#441. > > * Greatly improve interop testing against PuTTY. > > Portability > ----------- > > * Improve the error message when the autoconf OpenSSL header check > fails (bz#3668) > > * Improve detection of broken toolchain -fzero-call-used-regs support > (bz3645). > > * Fix regress/misc/fuzz-harness fuzzers and make them compile without > warnings when using clang16 > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, > Tim Rice and Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- Dmitry Belyavskiy _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev