From owner-svn-src-all@freebsd.org Fri Mar 11 00:23:12 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 33AD5ACC90D; Fri, 11 Mar 2016 00:23:12 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DFE401321; Fri, 11 Mar 2016 00:23:11 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u2B0NAGa068751; Fri, 11 Mar 2016 00:23:10 GMT (envelope-from des@FreeBSD.org) Received: (from des@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u2B0NAkO068747; Fri, 11 Mar 2016 00:23:10 GMT (envelope-from des@FreeBSD.org) Message-Id: <201603110023.u2B0NAkO068747@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: des set sender to des@FreeBSD.org using -f From: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= Date: Fri, 11 Mar 2016 00:23:10 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r296634 - head/crypto/openssh X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2016 00:23:12 -0000 Author: des Date: Fri Mar 11 00:23:10 2016 New Revision: 296634 URL: https://svnweb.freebsd.org/changeset/base/296634 Log: Re-add AES-CBC ciphers to the default cipher list on the server. PR: 207679 Modified: head/crypto/openssh/FREEBSD-upgrade head/crypto/openssh/myproposal.h head/crypto/openssh/sshd_config.5 Modified: head/crypto/openssh/FREEBSD-upgrade ============================================================================== --- head/crypto/openssh/FREEBSD-upgrade Fri Mar 11 00:15:29 2016 (r296633) +++ head/crypto/openssh/FREEBSD-upgrade Fri Mar 11 00:23:10 2016 (r296634) @@ -1,4 +1,3 @@ - FreeBSD maintainer's guide to OpenSSH-portable ============================================== @@ -166,6 +165,13 @@ ignore HPN-related configuration options to avoid breaking existing configurations. +A) AES-CBC + + The AES-CBC ciphers were removed from the server-side proposal list + in 6.7p1 due to theoretical weaknesses and the availability of + superior ciphers (including AES-CTR and AES-GCM). We have re-added + them for compatibility with third-party clients. + This port was brought to you by (in no particular order) DARPA, NAI Modified: head/crypto/openssh/myproposal.h ============================================================================== --- head/crypto/openssh/myproposal.h Fri Mar 11 00:15:29 2016 (r296633) +++ head/crypto/openssh/myproposal.h Fri Mar 11 00:23:10 2016 (r296634) @@ -113,10 +113,11 @@ #define KEX_SERVER_ENCRYPT \ "chacha20-poly1305@openssh.com," \ "aes128-ctr,aes192-ctr,aes256-ctr" \ - AESGCM_CIPHER_MODES + AESGCM_CIPHER_MODES \ + ",aes128-cbc,aes192-cbc,aes256-cbc" #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \ - "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc" + "3des-cbc" #define KEX_SERVER_MAC \ "umac-64-etm@openssh.com," \ Modified: head/crypto/openssh/sshd_config.5 ============================================================================== --- head/crypto/openssh/sshd_config.5 Fri Mar 11 00:15:29 2016 (r296633) +++ head/crypto/openssh/sshd_config.5 Fri Mar 11 00:23:10 2016 (r296634) @@ -482,7 +482,8 @@ The default is: .Bd -literal -offset indent chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, -aes128-gcm@openssh.com,aes256-gcm@openssh.com +aes128-gcm@openssh.com,aes256-gcm@openssh.com, +aes128-cbc,aes192-cbc,aes256-cbc .Ed .Pp The list of available ciphers may also be obtained using the