1

Is it possible to edit sshd_config or ssh_config, such that the SSH connection into a machine configured to use TLS1.2 is successful and rejects connections configured to use TLS1.1 and below, as well as SSL3 and below?

Is there any other way to do this?

This is on Fedora.

dhag
  • 15,440
  • 4
  • 54
  • 65
hack
  • 13
  • 1
  • 4

2 Answers2

4

POODLE is not a problem for SSH.

Bogdan
  • 966
  • 1
  • 6
  • 12
1

You misunderstand something, but it is an easy thing to get confused about.

  • SSH = Secure SHell
  • SSL = Secure Sockets Layer

ssh/sshd is a standalone client-server application that uses it's own high level protocol (the SSH protocol); SSL is a parallel protocol used with (e.g.) HTTPS servers. Applications which use one or the other may use the same low level ciphers (which you can delimit with the Ciphers option in sshd_config), hence ssh implementations are generally linked to libssl (which actually implements the ciphers1), but the high level protocol used for secure shell communication is neither SSL nor TLS.

You can set which versions of the ssh protocol to accept, (see the Protocol option in man sshd_config) but the default is already the most secure.

1. TBH I'm not positive that's the reason for the linkage, but point being, it's not in order to use the SSL protocol.

goldilocks
  • 86,451
  • 30
  • 200
  • 258
  • Thank You Goldilocks. So when I give a command at the command line, "openssl s_client -connect -" This pertains to openssl and not SSH ??? – hack Mar 19 '15 at 14:39
  • 1
    Yep. `s_client` is "a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS. It's intended for testing purposes only..." – goldilocks Mar 19 '15 at 14:41
  • Thank again Goldilocks. I am fresh out of school and trying to work on a project. I posed similar questions elsewhere but the responses were too rude. Appreciate your patience! Adding to the question, so is it not possible from a server POV to limit SSL and enable only TLS1.2 ?? I am not sure if I framed my question correctly, but I could do that to lightpd and see that only TLS1.2 based connections were successful and the rest were dropped. – hack Mar 19 '15 at 15:05
  • Web servers can and should have that option, yes. I'm not a lighttpd user though, so I don't know about that specifically. I'm sure if you look through the configuration docs you will find something. – goldilocks Mar 19 '15 at 15:12
  • @hack This is off topic, but: was it a Fedora-related site where you got rude responses? If so, please let me know — that's not how we want to treat people. – mattdm Mar 19 '15 at 15:23
  • mattdm nope not a Fedora-related site. Thanks for that.. goldilocks i will keep trying and update it once I have a solution. Thanks a tonne!! – hack Mar 19 '15 at 15:34
  • If the issue is now lightttpd, I would leave that out of this Q&A, things will get too confusing. This might as well be here -- it wasn't long ago I realized that ssh didn't really use SSL ;) – goldilocks Mar 19 '15 at 15:39