svn commit: r296634 - head/crypto/openssh

Dag-Erling Smørgrav des at FreeBSD.org
Fri Mar 11 00:23:12 UTC 2016 

Author: des
Date: Fri Mar 11 00:23:10 2016
New Revision: 296634
URL: https://svnweb.freebsd.org/changeset/base/296634

Log:
  Re-add AES-CBC ciphers to the default cipher list on the server.
  
  PR:		207679

Modified:
  head/crypto/openssh/FREEBSD-upgrade
  head/crypto/openssh/myproposal.h
  head/crypto/openssh/sshd_config.5

Modified: head/crypto/openssh/FREEBSD-upgrade
==============================================================================
--- head/crypto/openssh/FREEBSD-upgrade	Fri Mar 11 00:15:29 2016	(r296633)
+++ head/crypto/openssh/FREEBSD-upgrade	Fri Mar 11 00:23:10 2016	(r296634)
@@ -1,4 +1,3 @@
-
 	    FreeBSD maintainer's guide to OpenSSH-portable
 	    ==============================================
 
@@ -166,6 +165,13 @@
    ignore HPN-related configuration options to avoid breaking existing
    configurations.
 
+A) AES-CBC
+
+   The AES-CBC ciphers were removed from the server-side proposal list
+   in 6.7p1 due to theoretical weaknesses and the availability of
+   superior ciphers (including AES-CTR and AES-GCM).  We have re-added
+   them for compatibility with third-party clients.
+
 

 
 This port was brought to you by (in no particular order) DARPA, NAI

Modified: head/crypto/openssh/myproposal.h
==============================================================================
--- head/crypto/openssh/myproposal.h	Fri Mar 11 00:15:29 2016	(r296633)
+++ head/crypto/openssh/myproposal.h	Fri Mar 11 00:23:10 2016	(r296634)
@@ -113,10 +113,11 @@
 #define KEX_SERVER_ENCRYPT \
 	"chacha20-poly1305 at openssh.com," \
 	"aes128-ctr,aes192-ctr,aes256-ctr" \
-	AESGCM_CIPHER_MODES
+	AESGCM_CIPHER_MODES \
+	",aes128-cbc,aes192-cbc,aes256-cbc"
 
 #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
-	"aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc"
+	"3des-cbc"
 
 #define KEX_SERVER_MAC \
 	"umac-64-etm at openssh.com," \

Modified: head/crypto/openssh/sshd_config.5
==============================================================================
--- head/crypto/openssh/sshd_config.5	Fri Mar 11 00:15:29 2016	(r296633)
+++ head/crypto/openssh/sshd_config.5	Fri Mar 11 00:23:10 2016	(r296634)
@@ -482,7 +482,8 @@ The default is:
 .Bd -literal -offset indent
 chacha20-poly1305 at openssh.com,
 aes128-ctr,aes192-ctr,aes256-ctr,
-aes128-gcm at openssh.com,aes256-gcm at openssh.com
+aes128-gcm at openssh.com,aes256-gcm at openssh.com,
+aes128-cbc,aes192-cbc,aes256-cbc
 .Ed
 .Pp
 The list of available ciphers may also be obtained using the

More information about the svn-src-all mailing list