Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: issues with CURL using RSA keys + SFTP
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Ian Veach via curl-users <curl-users_at_lists.haxx.se>
Date: Fri, 14 Feb 2025 14:40:18 +0000
> curl uses a SSH library to perform all the SSH protocol options. The curl
> version probably won't make as much of a difference as you think in this
> regard.
> > curl 8.6.0 (powerpc-ibm-aix7.1.5.0) libcurl/8.6.0 OpenSSL/1.1.1v zlib/1.2.13 libssh2/1.10.0 nghttp2/1.58.0 OpenLDAP/2.5.16
> This shows that curl is using libssh2 in your case, and that the version is
> over 3 years old. I'd try upgrading that before investigating too much deeper.
Thanks Dan.
I completely understand your valid points. To answer:
I've taken a swing at this before, from the lib angle. Everyone says it's someone else, including the libssh2 people. I'm no crypto expert, but looking at the code it was hard to tell what did what when (to me). But I do agree that the older code simply may have the issues simply because it's older.
Looks like one of our engineers told me porky pies though. AIX Toolbox DOES offer a newer curl (8.11.1) with libssh2 1.11.0. So I agree/think that's our first step (after a million steps to satisfy our customer base before "they allow us" to upgrade). Then I can test again and see if our issue is fixed.
A follow up question: Until we get to a newer version.... what does curl (and presumably libssh2) honor as far as configuration options? Is there any way or a workaround to add configuration on the client side to e.g. not use SHA1?
I fiddled with ssh_config, but curl (or libssh2) doesn't seem to honor that like ssh/scp does. I see a LIBSSH2_NO_RSA_SHA1 option was added to libssh2 in 1.11, but that's obviously compile time (and a newer version). Again, we're trying to avoid custom compiling and interfering with the AIX Toolbox galaxy if we can.
Thanks,
Ian
PUBLIC RECORDS NOTICE: In accordance with NRS Chapter 239, this email and responses, unless otherwise made confidential by law, may be subject to the Nevada Public Records laws and may be disclosed to the public upon request.
Date: Fri, 14 Feb 2025 14:40:18 +0000
> curl uses a SSH library to perform all the SSH protocol options. The curl
> version probably won't make as much of a difference as you think in this
> regard.
> > curl 8.6.0 (powerpc-ibm-aix7.1.5.0) libcurl/8.6.0 OpenSSL/1.1.1v zlib/1.2.13 libssh2/1.10.0 nghttp2/1.58.0 OpenLDAP/2.5.16
> This shows that curl is using libssh2 in your case, and that the version is
> over 3 years old. I'd try upgrading that before investigating too much deeper.
Thanks Dan.
I completely understand your valid points. To answer:
I've taken a swing at this before, from the lib angle. Everyone says it's someone else, including the libssh2 people. I'm no crypto expert, but looking at the code it was hard to tell what did what when (to me). But I do agree that the older code simply may have the issues simply because it's older.
Looks like one of our engineers told me porky pies though. AIX Toolbox DOES offer a newer curl (8.11.1) with libssh2 1.11.0. So I agree/think that's our first step (after a million steps to satisfy our customer base before "they allow us" to upgrade). Then I can test again and see if our issue is fixed.
A follow up question: Until we get to a newer version.... what does curl (and presumably libssh2) honor as far as configuration options? Is there any way or a workaround to add configuration on the client side to e.g. not use SHA1?
I fiddled with ssh_config, but curl (or libssh2) doesn't seem to honor that like ssh/scp does. I see a LIBSSH2_NO_RSA_SHA1 option was added to libssh2 in 1.11, but that's obviously compile time (and a newer version). Again, we're trying to avoid custom compiling and interfering with the AIX Toolbox galaxy if we can.
Thanks,
Ian
PUBLIC RECORDS NOTICE: In accordance with NRS Chapter 239, this email and responses, unless otherwise made confidential by law, may be subject to the Nevada Public Records laws and may be disclosed to the public upon request.
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-02-14