openssh bugs - Nov 2024 - [Bug 3756] New: ssh connection breaks after openssl is upgraded

https://bugzilla.mindrot.org/show_bug.cgi?id=3756

            Bug ID: 3756
           Summary: ssh connection breaks after openssl is upgraded
           Product: Portable OpenSSH
           Version: 8.7p1
          Hardware: 68k
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: gtapase at ddn.com

On a el9.3 system, when openssl is upgraded from version
3.0.7-25.el9_3.x86_64 to 3.2.2-6.el9_5, it breaks ssh connection with 

sshd[39580]: OpenSSL version mismatch. Built against 30000070, you have
30200020

This causes the system to be unavailable for ssh connections.

kex_exchange_identification: read: Connection reset by peer

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3756

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |dtucker at dtucker.net
         Resolution|---                         |FIXED

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
OpenSSL changed their binary compatibility policy between 1.1 and 3.x
series, but we didn't notice that for a while.

We updated our compat checking code in
https://github.com/openssh/openssh-portable/commit/b7afd8a4ecaca8afd3179b55e9db79c0ff210237
 which was first in the 9.4p1 release.  You're using a version older
than that, which incorrectly applies the 1.1.x policy to the 3.x
series.

If you are using a vendor-supplied OpenSSH binary, you'll need to talk
to them about backporting and/or rebuilding.  If you're using a binary
you built yourself, you'll need to either rebuild, backport the patch
and rebuild, or update to a newer version and rebuild.  There's nothing
that we can do that we have not already done.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.