From 81be2a8a238ce18c6c2a243bfa08e038d510b811 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Thu, 24 Mar 2016 14:27:33 +0100 Subject: [PATCH 173/257] OpenSSH: Remove AES-CBC ciphers from the default cipher list on the server As it's done in OpenSSH 6.7p1 and later. This reverts FreeBSD r296634. Obtained from: ElectroBSD --- crypto/openssh/FREEBSD-upgrade | 8 +------- crypto/openssh/myproposal.h | 5 ++--- crypto/openssh/sshd_config.5 | 3 +-- 3 files changed, 4 insertions(+), 12 deletions(-) diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade index 4b31eb3532d6..8161baddaf5d 100644 --- a/crypto/openssh/FREEBSD-upgrade +++ b/crypto/openssh/FREEBSD-upgrade @@ -1,3 +1,4 @@ + FreeBSD maintainer's guide to OpenSSH-portable ============================================== @@ -160,13 +161,6 @@ ignore HPN-related configuration options to avoid breaking existing configurations. -9) AES-CBC - - The AES-CBC ciphers were removed from the server-side proposal list - in 6.7p1 due to theoretical weaknesses and the availability of - superior ciphers (including AES-CTR and AES-GCM). We have re-added - them for compatibility with third-party clients. - This port was brought to you by (in no particular order) DARPA, NAI diff --git a/crypto/openssh/myproposal.h b/crypto/openssh/myproposal.h index 68d29e86b63e..2af5c47cf82a 100644 --- a/crypto/openssh/myproposal.h +++ b/crypto/openssh/myproposal.h @@ -111,11 +111,10 @@ #define KEX_SERVER_ENCRYPT \ "chacha20-poly1305@openssh.com," \ "aes128-ctr,aes192-ctr,aes256-ctr" \ - AESGCM_CIPHER_MODES \ - ",aes128-cbc,aes192-cbc,aes256-cbc" + AESGCM_CIPHER_MODES #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \ - "3des-cbc" + "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc" #define KEX_SERVER_MAC \ "umac-64-etm@openssh.com," \ diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5 index 1359a20bced9..311abaef8191 100644 --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@ -482,8 +482,7 @@ The default is: .Bd -literal -offset indent chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, -aes128-gcm@openssh.com,aes256-gcm@openssh.com, -aes128-cbc,aes192-cbc,aes256-cbc +aes128-gcm@openssh.com,aes256-gcm@openssh.com .Ed .Pp The list of available ciphers may also be obtained using the -- 2.11.0