OpenSSH No Longer Has To Depend On OpenSSL 144
ConstantineM writes: "What has been planned for a long time now, prior to the infamous heartbleed fiasco of OpenSSL (which does not affect SSH at all), is now officially a reality — with the help of some recently adopted crypto from DJ Bernstein, OpenSSH now finally has a compile-time option to no longer depend on OpenSSL. `make OPENSSL=no` has now been introduced for a reduced configuration OpenSSH to be built without OpenSSL, which would leave you with no legacy SSH-1 baggage at all, and on the SSH-2 front with only AES-CTR and chacha20+poly1305 ciphers, ECDH/curve25519 key exchange and Ed25519 public keys."
Vetting the replacement libraries? (Score:5, Insightful)
Now, here is the secondary question: How well vetted/audited will the replacement libraries end up? Disconnecting OpenSSH from OpenSSL does help isolate things, but it also means that there is twice the cryptographic code to sift through in order to ensure security.
I trust the OpenBSD developers and Theo, so IMHO, this is a net security gain.
Maybe for the lost ciphers, it might be good to implement LibreSSL?
Good news! Now get it FIPS certified. (Score:4, Insightful)
Get this version of OpenSSH FIPS certified and it will be default industry standard for the next decade.
Re:Nooooooooo (Score:5, Insightful)
DJB is the worst kind of asshole too: he's almost always right. So you shouldn't just ignore him. Meh, justified arrogance still annoys.
Now, what we really need is a cage match between DJB and Theo de Raanter. I'd buy that on PPV!
Re:Good news! Now get it FIPS certified. (Score:5, Insightful)
Re:symbolism over substance in the realm of secury (Score:2, Insightful)
Re:He's right when he's driving in the UK (Score:4, Insightful)