diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2016-09-05 14:02:42 +0000 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2016-09-12 13:39:30 +1000 |
| commit | da95318dbedbaa1335323dba370975c2f251afd8 (patch) | |
| tree | 6c7802974f2fb4f63216e6665b12d0b5f34f641b | |
| parent | b33ad6d997d36edfea65e243cd12ccd01f413549 (diff) | |
upstream commit
remove 3des-cbc from the client's default proposal;
64-bit block ciphers are not safe in 2016 and we don't want to wait until
attacks like sweet32 are extended to SSH.
As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may
cause problems connecting to older devices using the defaults, but
it's highly likely that such devices already need explicit
configuration for KEX and hostkeys anyway.
ok deraadt, markus, dtucker
Upstream-ID: a505dfe65c6733af0f751b64cbc4bb7e0761bc2f
| -rw-r--r-- | myproposal.h | 4 | ||||
| -rw-r--r-- | ssh_config.5 | 6 |
2 files changed, 5 insertions, 5 deletions
diff --git a/myproposal.h b/myproposal.h index 597090164..5c088e5e9 100644 --- a/myproposal.h +++ b/myproposal.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: myproposal.h,v 1.50 2016/02/09 05:30:04 djm Exp $ */ | 1 | /* $OpenBSD: myproposal.h,v 1.52 2016/09/05 14:02:42 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| @@ -120,7 +120,7 @@ | |||
| 120 | AESGCM_CIPHER_MODES | 120 | AESGCM_CIPHER_MODES |
| 121 | 121 | ||
| 122 | #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \ | 122 | #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \ |
| 123 | "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc" | 123 | "aes128-cbc,aes192-cbc,aes256-cbc" |
| 124 | 124 | ||
| 125 | #define KEX_SERVER_MAC \ | 125 | #define KEX_SERVER_MAC \ |
| 126 | "umac-64-etm@openssh.com," \ | 126 | "umac-64-etm@openssh.com," \ |
diff --git a/ssh_config.5 b/ssh_config.5 index 7630e7bcb..259a786a1 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
| @@ -33,8 +33,8 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: ssh_config.5,v 1.236 2016/07/22 07:00:46 djm Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.237 2016/09/05 14:02:42 djm Exp $ |
| 37 | .Dd $Mdocdate: July 22 2016 $ | 37 | .Dd $Mdocdate: September 5 2016 $ |
| 38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
| 39 | .Os | 39 | .Os |
| 40 | .Sh NAME | 40 | .Sh NAME |
| @@ -488,7 +488,7 @@ The default is: | |||
| 488 | chacha20-poly1305@openssh.com, | 488 | chacha20-poly1305@openssh.com, |
| 489 | aes128-ctr,aes192-ctr,aes256-ctr, | 489 | aes128-ctr,aes192-ctr,aes256-ctr, |
| 490 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, | 490 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, |
| 491 | aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc | 491 | aes128-cbc,aes192-cbc,aes256-cbc |
| 492 | .Ed | 492 | .Ed |
| 493 | .Pp | 493 | .Pp |
| 494 | The list of available ciphers may also be obtained using the | 494 | The list of available ciphers may also be obtained using the |