[Twisted-Python] conch problem with ecdsa-sha2-nistp256 host key?
Glyph Lefkowitz
glyph at twistedmatrix.com
Sat Dec 3 20:56:20 MST 2016
> On Dec 3, 2016, at 4:21 PM, Craig Rodrigues <rodrigc at crodrigues.org> wrote:
>
> On Thu, Dec 1, 2016 at 7:01 PM, Mark Williams <markrwilliams at gmail.com <mailto:markrwilliams at gmail.com>> wrote:
>
> I bet the key negotiated by conch is not an ECDSA key but rather an
> RSA key. If this is all the case, then I think you've found a key
> that LibreSSL supports but your client's libssl (which conch calls
> into via cryptography) does not. What version of libssl do you have?
>
>
> Yes, you are right. I did some debugging and found that in ssh_KEX_DH_GEX_REPLY()
> https://github.com/twisted/twisted/blob/trunk/src/twisted/conch/ssh/transport.py#L1596 <https://github.com/twisted/twisted/blob/trunk/src/twisted/conch/ssh/transport.py#L1596>
> only an RSA key is negotiated, even if an EC key is in the known_hosts file.
>
> I thought that with all the EC fixes committed to the tree that this was all working,
> but it looks like there is still some stuff missing. This might fill in the gaps:
>
> https://github.com/twisted/twisted/pull/432 <https://github.com/twisted/twisted/pull/432>
Yep. The stuff that got merged was intentionally, explicitly a subset of full EC functionality. We're trying to get it landed in stages, since, as you have already seen, even a partial implementation is very tricky to review :)
-glyph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20161203/4e9e2524/attachment-0002.html>
More information about the Twisted-Python
mailing list