On Thu, Dec 1, 2016 at 7:01 PM, Mark Williams <markrwilliams@gmail.com> wrote:
I bet the key negotiated by conch is not an ECDSA key but rather an RSA key. If this is all the case, then I think you've found a key that LibreSSL supports but your client's libssl (which conch calls into via cryptography) does not. What version of libssl do you have?
Yes, you are right. I did some debugging and found that in ssh_KEX_DH_GEX_REPLY() https://github.com/twisted/twisted/blob/trunk/src/twisted/conch/ssh/transpor... only an RSA key is negotiated, even if an EC key is in the known_hosts file. I thought that with all the EC fixes committed to the tree that this was all working, but it looks like there is still some stuff missing. This might fill in the gaps: https://github.com/twisted/twisted/pull/432 -- Craig