openssh unix dev - Sep 2000 - openssh 2.2.0p1 fails with openssl 0.9.6-beta1

On Wed, Sep 13, 2000 at 09:13:26AM +0000, Graham Murray
wrote:
> On upgrading to openssl 0.9.6-beta1, I find that openssh 2.2.0p1 fails
> to connect.
I did some more experiments and also saw the problems.

They occur when using a 0.9.6-beta client to connect to 0.9.5a and 0.9.6-beta
servers.
They also occur when using a 0.9.5a client connecting to a 0.9.6-beta
server.
Connections fail with "dsa_verify: signature incorrect".

I have completely recompiled and re-linked the packages, so that binary
compatibility of the OpenSSL library is not an issue.

I have crossposted this message to openssh-unix-dev, as I don't know,
whether this is caused by the new OpenSSL release or a problem with
OpenSSH calling it.

!! In any case it is a kind of show-stopper!!

Unfortunately I don't know enough about the SSH protocol, so I cannot offer
my help this time :-(

Best regards,
	Lutz

Rest of original message:
> I get the following log
>  SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0.
> Compiled with SSL (0x00906001).
> debug: Reading configuration data /usr/local/etc/ssh_config
> debug: Applying options for *
> debug: Seeding random number generator
> debug: ssh_connect: getuid 500 geteuid 0 anon 0
> debug: Connecting to gateway.webwayone.demon.co.uk [192.168.50.2] port 22.
> debug: Allocated local port 1023.
> debug: Connection established.
> debug: Remote protocol version 2.0, remote software version OpenSSH_2.2.0p1
> Enabling compatibility mode for protocol 2.0
> debug: Local version string SSH-2.0-OpenSSH_2.2.0p1
> debug: Seeding random number generator
> debug: send KEXINIT
> debug: done
> debug: wait KEXINIT
> debug: got kexinit: diffie-hellman-group1-sha1
> debug: got kexinit: ssh-dss
> debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc
> debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc
> debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com
> debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com
> debug: got kexinit: zlib,none
> debug: got kexinit: zlib,none
> debug: got kexinit: 
> debug: got kexinit: 
> debug: first kex follow: 0 
> debug: reserved: 0 
> debug: done
> debug: kex: server->client 3des-cbc hmac-sha1 none
> debug: kex: client->server 3des-cbc hmac-sha1 none
> debug: Sending SSH2_MSG_KEXDH_INIT.
> debug: bits set: 501/1024
> debug: Wait SSH2_MSG_KEXDH_REPLY.
> debug: Got SSH2_MSG_KEXDH_REPLY.
> debug: Host 'gateway.webwayone.demon.co.uk' is known and matches
the DSA host key.
> debug: bits set: 509/1024
> debug: len 55 datafellows 0
> debug: dsa_verify: signature incorrect
> dsa_verify failed for server_host_key
> debug: Calling cleanup 0x805e760(0x0)
> 
> Using openssl 0.9.5a there are no problems (I have a log of a
> connection using this, if this will help)
> 
> The remote system is running openssh 2.2.0p1 with openssl 0.9.5a.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users at openssl.org
> Automated List Manager                           majordomo at openssl.org
-- 
Lutz Jaenicke                             Lutz.Jaenicke at aet.TU-Cottbus.DE
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153

This is probably a commonly asked question...that, or I'm missing
something significant, here.

I'm using an OpenSSH 2.2.1p4 client, with OpenSSH 1.2.3 for the server;
I'm trying to display a remote X app back to my desktop; everytime I try
it, I get:

remote.server$ xcalc  
channel 0: istate 4 != open
channel 0: ostate 64 != open
X connection to remote.server:10.0 broken (explicit kill or server
shutdown).

Is this an xauth thing, or an incompatibility thing, or?

TIA!

Later,
Paul
  ----------------------------------------------------------------------
  J. Paul Reed                preed at sigkill.com || web.sigkill.com/preed
  If you put a gun to my head and said  "Name ten great bands that have 
  come out in the last 5 years," you'd be wiping my brains off the
wall.
                                                         -- Trent Reznor

From: Lutz Jaenicke <Lutz.Jaenicke at aet.TU-Cottbus.DE>

Lutz.Jaenicke> I did some more experiments and also saw the problems.
Lutz.Jaenicke> 
Lutz.Jaenicke> They occur when using a 0.9.6-beta client to connect to
Lutz.Jaenicke> 0.9.5a and 0.9.6-beta servers.
Lutz.Jaenicke> They also occur when using a 0.9.5a client connecting
Lutz.Jaenicke> to a 0.9.6-beta server.

Hmm, that's no good.  I'll see if I can generate something similar
using just s_client and s_server or something like that...

-- 
Richard Levitte   \ Spannv?gen 38, II \ LeViMS at stacken.kth.se
Chairman at Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur at Stacken   \      SWEDEN       \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis                -- poei at bofh.se
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.