From: Dimitri John Ledkov Subject: Re: [PATCH] Upgrade ssh_connection_hash from hex SHA1 to base64url SHA256 To: tech@openbsd.org Cc: djm@openbsd.org Date: Sun, 26 Oct 2025 20:45:42 +0000 Ping, Any changes required to land this? The original patch still applies cleanly to the latest code. On Thu, 25 Sept 2025 at 16:56, Dimitri John Ledkov wrote: > > On Mon, 8 Sept 2025 at 10:24, Dimitri John Ledkov > wrote: > > > > Upgrade ssh_connection_hash from SHA1 to SHA256. Due to increased > > length, instead of using hex encoding, use base64url encoding, which > > for SHA256 is only slightly longer than hex SHA1. Rename related > > variables for clarity. > > > > This change enables building and using ssh completely without SHA1. > > --- > > regress/usr.bin/ssh/percent.sh | 3 ++- > > usr.bin/ssh/readconf.c | 23 ++++++++++++++++------- > > usr.bin/ssh/ssh.c | 4 ++-- > > usr.bin/ssh/sshconnect.h | 4 ++-- > > 4 files changed, 22 insertions(+), 12 deletions(-) > > > > Are there any other questions, reviews or concerns to land this change? > > This change passed all Github based CI at > https://github.com/openssh/openssh-portable/pull/595 but can > rebase/rerun again. > > Separately, should I provide another alternative implementation that > keeps using HEX encoding but with a truncated SHA-256/160? This way > the appearance of the session will retain the same character set and > length as today, but without using SHA-1. This would be similar to > what is being used for TLS certificates public key info hash > identifier, for which it was also determined that SHA256 output is too > long. > > -- > Regards, > > Dimitri. -- Regards, Dimitri.