diff options
author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2016-03-11 00:23:10 +0000 |
---|---|---|
committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2016-03-11 00:23:10 +0000 |
commit | c3c6c935fca17c15194dafc56ee3bf4ef9ecd35e (patch) | |
tree | 98f72e25491cb0731e1b80367228fc8b1ab82ea8 /crypto/openssh | |
parent | acc1a9ef8333c798c210fa94be6af4d5fe2dd794 (diff) | |
download | src-c3c6c935fca17c15194dafc56ee3bf4ef9ecd35e.tar.gz src-c3c6c935fca17c15194dafc56ee3bf4ef9ecd35e.zip |
Re-add AES-CBC ciphers to the default cipher list on the server.
PR: 207679
Notes
Notes:
svn path=/head/; revision=296634
Diffstat (limited to 'crypto/openssh')
-rw-r--r-- | crypto/openssh/FREEBSD-upgrade | 8 | ||||
-rw-r--r-- | crypto/openssh/myproposal.h | 5 | ||||
-rw-r--r-- | crypto/openssh/sshd_config.5 | 3 |
3 files changed, 12 insertions, 4 deletions
diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade index 7acd51fbe663..43e2a743537e 100644 --- a/crypto/openssh/FREEBSD-upgrade +++ b/crypto/openssh/FREEBSD-upgrade @@ -1,4 +1,3 @@ - FreeBSD maintainer's guide to OpenSSH-portable ============================================== @@ -166,6 +165,13 @@ ignore HPN-related configuration options to avoid breaking existing configurations. +A) AES-CBC + + The AES-CBC ciphers were removed from the server-side proposal list + in 6.7p1 due to theoretical weaknesses and the availability of + superior ciphers (including AES-CTR and AES-GCM). We have re-added + them for compatibility with third-party clients. + This port was brought to you by (in no particular order) DARPA, NAI diff --git a/crypto/openssh/myproposal.h b/crypto/openssh/myproposal.h index 7a8b43228175..d286691ebb21 100644 --- a/crypto/openssh/myproposal.h +++ b/crypto/openssh/myproposal.h @@ -113,10 +113,11 @@ #define KEX_SERVER_ENCRYPT \ "chacha20-poly1305@openssh.com," \ "aes128-ctr,aes192-ctr,aes256-ctr" \ - AESGCM_CIPHER_MODES + AESGCM_CIPHER_MODES \ + ",aes128-cbc,aes192-cbc,aes256-cbc" #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \ - "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc" + "3des-cbc" #define KEX_SERVER_MAC \ "umac-64-etm@openssh.com," \ diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5 index baed664fc1f8..cc43aad6c86a 100644 --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@ -482,7 +482,8 @@ The default is: .Bd -literal -offset indent chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, -aes128-gcm@openssh.com,aes256-gcm@openssh.com +aes128-gcm@openssh.com,aes256-gcm@openssh.com, +aes128-cbc,aes192-cbc,aes256-cbc .Ed .Pp The list of available ciphers may also be obtained using the |