svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd

Mike Tancsa mike at
Sat Mar 2 16:06:49 UTC 2013

On 3/2/2013 11:02 AM, Dag-Erling Smørgrav wrote:
> Mike Tancsa <mike at> writes:
>> The pcaps and basic wireshark output at
> This is 6.1 with aesni vs 6.1 without aesni; what I wanted was 6.1 vs
> 5.8, both with aesni loaded.

Ahh, ok. I will do it later this aft.

> Could you also ktrace the server in both cases?

That was the daemon in both cases.  ktrace /usr/sbin/sshd -dddd

> An easy workaround is to change the list of ciphers the server will
> offer to clients by adding a "Ciphers" line in /etc/ssh/sshd_config.
> The default is:
> Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour
> Either remove the AES entries or move them further down the list.  The
> client will normally pick the first supported cipher.  As far as I can
> tell, SecureCRT supports all the same ciphers that OpenSSH does, so just
> moving arcfour{256,128} to the front of the list should work.
> (AFAIK, arcfour is also much faster than aes)

Actually, I am just doing with a freebsd openssh client

 ssh -c aes128-cbc

Its for sure something to do with hardware crypto offload because it
works fine with a cipher that is not accelerated.



Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at
Providing Internet services since 1994
Cambridge, Ontario Canada

More information about the freebsd-stable mailing list