svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd
Mike Tancsa
mike at sentex.net
Sat Mar 2 16:06:49 UTC 2013
On 3/2/2013 11:02 AM, Dag-Erling Smørgrav wrote:
> Mike Tancsa <mike at sentex.net> writes:
>> The pcaps and basic wireshark output at
>>
>> http://tancsa.com/openssh/
>
> This is 6.1 with aesni vs 6.1 without aesni; what I wanted was 6.1 vs
> 5.8, both with aesni loaded.
Ahh, ok. I will do it later this aft.
>
> Could you also ktrace the server in both cases?
That was the daemon in both cases. ktrace /usr/sbin/sshd -dddd
>
> An easy workaround is to change the list of ciphers the server will
> offer to clients by adding a "Ciphers" line in /etc/ssh/sshd_config.
> The default is:
>
> Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour
>
> Either remove the AES entries or move them further down the list. The
> client will normally pick the first supported cipher. As far as I can
> tell, SecureCRT supports all the same ciphers that OpenSSH does, so just
> moving arcfour{256,128} to the front of the list should work.
>
> (AFAIK, arcfour is also much faster than aes)
Actually, I am just doing with a freebsd openssh client
ssh -c aes128-cbc testhost-with-the-issue.sentex.ca
Its for sure something to do with hardware crypto offload because it
works fine with a cipher that is not accelerated.
---Mike
>
> DES
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the freebsd-stable
mailing list