Date: Fri, 11 Mar 2016 00:23:10 +0000 (UTC) From: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r296634 - head/crypto/openssh Message-ID: <201603110023.u2B0NAkO068747@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: des Date: Fri Mar 11 00:23:10 2016 New Revision: 296634 URL: https://svnweb.freebsd.org/changeset/base/296634 Log: Re-add AES-CBC ciphers to the default cipher list on the server. PR: 207679 Modified: head/crypto/openssh/FREEBSD-upgrade head/crypto/openssh/myproposal.h head/crypto/openssh/sshd_config.5 Modified: head/crypto/openssh/FREEBSD-upgrade ============================================================================== --- head/crypto/openssh/FREEBSD-upgrade Fri Mar 11 00:15:29 2016 (r296633) +++ head/crypto/openssh/FREEBSD-upgrade Fri Mar 11 00:23:10 2016 (r296634) @@ -1,4 +1,3 @@ - FreeBSD maintainer's guide to OpenSSH-portable ============================================== @@ -166,6 +165,13 @@ ignore HPN-related configuration options to avoid breaking existing configurations. +A) AES-CBC + + The AES-CBC ciphers were removed from the server-side proposal list + in 6.7p1 due to theoretical weaknesses and the availability of + superior ciphers (including AES-CTR and AES-GCM). We have re-added + them for compatibility with third-party clients. + This port was brought to you by (in no particular order) DARPA, NAI Modified: head/crypto/openssh/myproposal.h ============================================================================== --- head/crypto/openssh/myproposal.h Fri Mar 11 00:15:29 2016 (r296633) +++ head/crypto/openssh/myproposal.h Fri Mar 11 00:23:10 2016 (r296634) @@ -113,10 +113,11 @@ #define KEX_SERVER_ENCRYPT \ "chacha20-poly1305@openssh.com," \ "aes128-ctr,aes192-ctr,aes256-ctr" \ - AESGCM_CIPHER_MODES + AESGCM_CIPHER_MODES \ + ",aes128-cbc,aes192-cbc,aes256-cbc" #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \ - "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc" + "3des-cbc" #define KEX_SERVER_MAC \ "umac-64-etm@openssh.com," \ Modified: head/crypto/openssh/sshd_config.5 ============================================================================== --- head/crypto/openssh/sshd_config.5 Fri Mar 11 00:15:29 2016 (r296633) +++ head/crypto/openssh/sshd_config.5 Fri Mar 11 00:23:10 2016 (r296634) @@ -482,7 +482,8 @@ The default is: .Bd -literal -offset indent chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, -aes128-gcm@openssh.com,aes256-gcm@openssh.com +aes128-gcm@openssh.com,aes256-gcm@openssh.com, +aes128-cbc,aes192-cbc,aes256-cbc .Ed .Pp The list of available ciphers may also be obtained using the
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201603110023.u2B0NAkO068747>