svn commit: r296634 - head/crypto/openssh

Thu, 10 Mar 2016 16:24:07 -0800 

Author: des
Date: Fri Mar 11 00:23:10 2016
New Revision: 296634
URL: https://svnweb.freebsd.org/changeset/base/296634

Log:
  Re-add AES-CBC ciphers to the default cipher list on the server.
  
  PR:           207679

Modified:
  head/crypto/openssh/FREEBSD-upgrade
  head/crypto/openssh/myproposal.h
  head/crypto/openssh/sshd_config.5

Modified: head/crypto/openssh/FREEBSD-upgrade
==============================================================================
--- head/crypto/openssh/FREEBSD-upgrade Fri Mar 11 00:15:29 2016        
(r296633)
+++ head/crypto/openssh/FREEBSD-upgrade Fri Mar 11 00:23:10 2016        
(r296634)
@@ -1,4 +1,3 @@
-
            FreeBSD maintainer's guide to OpenSSH-portable
            ==============================================
 
@@ -166,6 +165,13 @@
    ignore HPN-related configuration options to avoid breaking existing
    configurations.
 
+A) AES-CBC
+
+   The AES-CBC ciphers were removed from the server-side proposal list
+   in 6.7p1 due to theoretical weaknesses and the availability of
+   superior ciphers (including AES-CTR and AES-GCM).  We have re-added
+   them for compatibility with third-party clients.
+
 
 
 This port was brought to you by (in no particular order) DARPA, NAI

Modified: head/crypto/openssh/myproposal.h
==============================================================================
--- head/crypto/openssh/myproposal.h    Fri Mar 11 00:15:29 2016        
(r296633)
+++ head/crypto/openssh/myproposal.h    Fri Mar 11 00:23:10 2016        
(r296634)
@@ -113,10 +113,11 @@
 #define KEX_SERVER_ENCRYPT \
        "chacha20-poly1...@openssh.com," \
        "aes128-ctr,aes192-ctr,aes256-ctr" \
-       AESGCM_CIPHER_MODES
+       AESGCM_CIPHER_MODES \
+       ",aes128-cbc,aes192-cbc,aes256-cbc"
 
 #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
-       "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc"
+       "3des-cbc"
 
 #define KEX_SERVER_MAC \
        "umac-64-...@openssh.com," \

Modified: head/crypto/openssh/sshd_config.5
==============================================================================
--- head/crypto/openssh/sshd_config.5   Fri Mar 11 00:15:29 2016        
(r296633)
+++ head/crypto/openssh/sshd_config.5   Fri Mar 11 00:23:10 2016        
(r296634)
@@ -482,7 +482,8 @@ The default is:
 .Bd -literal -offset indent
 chacha20-poly1...@openssh.com,
 aes128-ctr,aes192-ctr,aes256-ctr,
-aes128-...@openssh.com,aes256-...@openssh.com
+aes128-...@openssh.com,aes256-...@openssh.com,
+aes128-cbc,aes192-cbc,aes256-cbc
 .Ed
 .Pp
 The list of available ciphers may also be obtained using the
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to