> On Dec 3, 2016, at 4:21 PM, Craig Rodrigues <rodr...@crodrigues.org> wrote: > > On Thu, Dec 1, 2016 at 7:01 PM, Mark Williams <markrwilli...@gmail.com > <mailto:markrwilli...@gmail.com>> wrote: > > I bet the key negotiated by conch is not an ECDSA key but rather an > RSA key. If this is all the case, then I think you've found a key > that LibreSSL supports but your client's libssl (which conch calls > into via cryptography) does not. What version of libssl do you have? > > > Yes, you are right. I did some debugging and found that in > ssh_KEX_DH_GEX_REPLY() > https://github.com/twisted/twisted/blob/trunk/src/twisted/conch/ssh/transport.py#L1596 > > <https://github.com/twisted/twisted/blob/trunk/src/twisted/conch/ssh/transport.py#L1596> > only an RSA key is negotiated, even if an EC key is in the known_hosts file. > > I thought that with all the EC fixes committed to the tree that this was all > working, > but it looks like there is still some stuff missing. This might fill in the > gaps: > > https://github.com/twisted/twisted/pull/432 > <https://github.com/twisted/twisted/pull/432>
Yep. The stuff that got merged was intentionally, explicitly a subset of full EC functionality. We're trying to get it landed in stages, since, as you have already seen, even a partial implementation is very tricky to review :) -glyph
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
