svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd

Dag-Erling Smørgrav des at
Sat Mar 2 16:02:11 UTC 2013

Mike Tancsa <mike at> writes:
> The pcaps and basic wireshark output at

This is 6.1 with aesni vs 6.1 without aesni; what I wanted was 6.1 vs
5.8, both with aesni loaded.

Could you also ktrace the server in both cases?

An easy workaround is to change the list of ciphers the server will
offer to clients by adding a "Ciphers" line in /etc/ssh/sshd_config.
The default is:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour

Either remove the AES entries or move them further down the list.  The
client will normally pick the first supported cipher.  As far as I can
tell, SecureCRT supports all the same ciphers that OpenSSH does, so just
moving arcfour{256,128} to the front of the list should work.

(AFAIK, arcfour is also much faster than aes)

Dag-Erling Smørgrav - des at

More information about the freebsd-stable mailing list