undefined | Better HN

0 pointschupa-chups5y ago0 comments

Both SSH and SSL base on TLS. The leak in question has a problem

> during or after a TLS 1.3 handshake

Sure, openSSL is not SSH, but it is not unreasonable to assume this leak may affect web servers as well (e.g. by being based on the same underlying TLS implementation).

"SSH != SSL" is a bit short to invalidate the assumption of the OP. I'd not be so sure this problem does not affect "web server X".

https://en.wikipedia.org/wiki/Transport_Layer_Security

OK, learnt something new today: https://crypto.stackexchange.com/questions/60255/why-doesnt-...

https://xkcd.com/1053/

Thanks! :)

0 comments

notaplumber5y ago

> Both SSH and SSL base on TLS.

You are very mistaken. OpenSSH only uses OpenSSL (or LibreSSL) as an optional dependency for the libcrypto primitives (RSA/AES etc). NOT for libssl.

The SSH protocol has nothing to do with either SSL or TLS.

hannob5y ago

> Both SSH and SSL base on TLS

No.

1 more reply

detaro5y ago

The parent is asking if primarily servers exposing "SSH" are affected. I should be less glib though, fair enough. will edit.

j / k navigate · click thread line to collapse