Team, I am having a discussions with a few friends about why this OpenSSL vuln (CVE 2014-0160) does not affect SSH. This may be TOO basic for many of you (apologize in advance), but can't think of any other way to prove my point other than speaking to the folks who really know (that's u). Or maybe I am the one wrong, wouldn't be the first time ;).
A quick response to my frieds could be simply diffing the files for the actual OpenSSL change, e.g. ssl/d1_both.c and ssl/t1_lib.c, but I want a more classy answer. Is the below ok or am I completely off? Thank you in advance SSH and SSL/TLS are simply different protocols (doh). They may share some similar underlying crypto implementations, but as of their respective RFCs, they are just different protocols. The TLS Heartbeat TLS extension would not apply to SSH. SSH "may" have its own way to keep alive, but that would be a different one. Chris.
