svn commit: r296634 - head/crypto/openssh
Dag-Erling Smørgrav
des at FreeBSD.org
Fri Mar 11 00:23:12 UTC 2016
Author: des
Date: Fri Mar 11 00:23:10 2016
New Revision: 296634
URL: https://svnweb.freebsd.org/changeset/base/296634
Log:
Re-add AES-CBC ciphers to the default cipher list on the server.
PR: 207679
Modified:
head/crypto/openssh/FREEBSD-upgrade
head/crypto/openssh/myproposal.h
head/crypto/openssh/sshd_config.5
Modified: head/crypto/openssh/FREEBSD-upgrade
==============================================================================
--- head/crypto/openssh/FREEBSD-upgrade Fri Mar 11 00:15:29 2016 (r296633)
+++ head/crypto/openssh/FREEBSD-upgrade Fri Mar 11 00:23:10 2016 (r296634)
@@ -1,4 +1,3 @@
-
FreeBSD maintainer's guide to OpenSSH-portable
==============================================
@@ -166,6 +165,13 @@
ignore HPN-related configuration options to avoid breaking existing
configurations.
+A) AES-CBC
+
+ The AES-CBC ciphers were removed from the server-side proposal list
+ in 6.7p1 due to theoretical weaknesses and the availability of
+ superior ciphers (including AES-CTR and AES-GCM). We have re-added
+ them for compatibility with third-party clients.
+
This port was brought to you by (in no particular order) DARPA, NAI
Modified: head/crypto/openssh/myproposal.h
==============================================================================
--- head/crypto/openssh/myproposal.h Fri Mar 11 00:15:29 2016 (r296633)
+++ head/crypto/openssh/myproposal.h Fri Mar 11 00:23:10 2016 (r296634)
@@ -113,10 +113,11 @@
#define KEX_SERVER_ENCRYPT \
"chacha20-poly1305 at openssh.com," \
"aes128-ctr,aes192-ctr,aes256-ctr" \
- AESGCM_CIPHER_MODES
+ AESGCM_CIPHER_MODES \
+ ",aes128-cbc,aes192-cbc,aes256-cbc"
#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
- "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc"
+ "3des-cbc"
#define KEX_SERVER_MAC \
"umac-64-etm at openssh.com," \
Modified: head/crypto/openssh/sshd_config.5
==============================================================================
--- head/crypto/openssh/sshd_config.5 Fri Mar 11 00:15:29 2016 (r296633)
+++ head/crypto/openssh/sshd_config.5 Fri Mar 11 00:23:10 2016 (r296634)
@@ -482,7 +482,8 @@ The default is:
.Bd -literal -offset indent
chacha20-poly1305 at openssh.com,
aes128-ctr,aes192-ctr,aes256-ctr,
-aes128-gcm at openssh.com,aes256-gcm at openssh.com
+aes128-gcm at openssh.com,aes256-gcm at openssh.com,
+aes128-cbc,aes192-cbc,aes256-cbc
.Ed
.Pp
The list of available ciphers may also be obtained using the
More information about the svn-src-all
mailing list