Hello,
I got a failure on configuring the master branch on Fedora 39:
upstream/openssh-portable$ ./configure --disable-dsa
....
checking OpenSSL header version... 30100010 (OpenSSL 3.1.1 30 May 2023)
checking for OpenSSL_version... yes
checking for OpenSSL_version_num... yes
checking OpenSSL library version... configure: error: Unknown/unsupported
OpenSSL version ("30100010 (OpenSSL 3.1.1 30 May 2023)")
On Tue, Mar 5, 2024 at 1:26 AM Damien Miller <djm@xxxxxxxxxxx> wrote:
>
> Hi,
>
> OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev@xxxxxxxxxxx. Security bugs should be reported
> directly to openssh@xxxxxxxxxxx.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Future deprecation notice
> =========================
>
> OpenSSH plans to remove support for the DSA signature algorithm in
> early 2025 and compile-time disable it later this year.
>
> DSA, as specified in the SSHv2 protocol, is inherently weak - being
> limited to a 160 bit private key and use of the SHA1 digest. Its
> estimated security level is only 80 bits symmetric equivalent.
>
> OpenSSH has disabled DSA keys by default since 2015 but has retained
> run-time optional support for them. DSA was the only mandatory-to-
> implement algorithm in the SSHv2 RFCs[3], mostly because alternative
> algorithms were encumbered by patents when the SSHv2 protocol was
> specified.
>
> This has not been the case for decades at this point and better
> algorithms are well supported by all actively-maintained SSH
> implementations. We do not consider the costs of maintaining DSA in
> OpenSSH to be justified and hope that removing it from OpenSSH can
> accelerate its wider deprecation in supporting cryptography
> libraries.
>
> This release makes DSA support in OpenSSH compile-time optional,
> defaulting to on. We intend the next release to change the default
> to disable DSA at compile time. The first OpenSSH release of 2025
> will remove DSA support entirely.
>
> Changes since OpenSSH 9.6
> =========================
>
> This release contains mostly bugfixes.
>
> New features
> ------------
>
> * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches
> all open channels and will close all open channels if there is no
> traffic on any of them for the specified interval. This is in
> addition to the existing per-channel timeouts added recently.
>
> This supports situations like having both session and x11
> forwarding channels open where one may be idle for an extended
> period but the other is actively used. The global timeout could
> close both channels when both have been idle for too long.
>
> * All: make DSA key support compile-time optional, defaulting to on.
>
> Bugfixes
> --------
>
> * sshd(8): don't append an unnecessary space to the end of subsystem
> arguments (bz3667)
>
> * ssh(1): fix the multiplexing "channel proxy" mode, broken when
> keystroke timing obfuscation was added. (GHPR#463)
>
> * ssh(1), sshd(8): fix spurious configuration parsing errors when
> options that accept array arguments are overridden (bz3657).
>
> * Many fixes to manual pages and other documentation, including
> GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
>
> * Greatly improve interop testing against PuTTY.
>
> Portability
> -----------
>
> * Improve the error message when the autoconf OpenSSL header check
> fails (bz#3668)
>
> * Improve detection of broken toolchain -fzero-call-used-regs support
> (bz3645).
>
> * Fix regress/misc/fuzz-harness fuzzers and make them compile without
> warnings when using clang16
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
--
Dmitry Belyavskiy
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
