upstream commit

remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH. As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway. ok deraadt, markus, dtucker Upstream-ID: a505dfe65c6733af0f751b64cbc4bb7e0761bc2f
author: djm@openbsd.org <djm@openbsd.org> 2016-09-05 14:02:42 +0000
committer: Darren Tucker <dtucker@zip.com.au> 2016-09-12 13:39:30 +1000
commit: da95318dbedbaa1335323dba370975c2f251afd8 (patch)
tree: 6c7802974f2fb4f63216e6665b12d0b5f34f641b /ssh_config.5
parent: b33ad6d997d36edfea65e243cd12ccd01f413549 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 7630e7bcb..259a786a1 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.236 2016/07/22 07:00:46 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.237 2016/09/05 14:02:42 djm Exp $
-.Dd $Mdocdate: July 22 2016 $
+.Dd $Mdocdate: September 5 2016 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -488,7 +488,7 @@ The default is:
 chacha20-poly1305@openssh.com,
 aes128-ctr,aes192-ctr,aes256-ctr,
 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
-aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
+aes128-cbc,aes192-cbc,aes256-cbc
 .Ed
 .Pp
 The list of available ciphers may also be obtained using the
author	djm@openbsd.org <djm@openbsd.org>	2016-09-05 14:02:42 +0000
committer	Darren Tucker <dtucker@zip.com.au>	2016-09-12 13:39:30 +1000
commit	da95318dbedbaa1335323dba370975c2f251afd8 (patch)
tree	6c7802974f2fb4f63216e6665b12d0b5f34f641b /ssh_config.5
parent	b33ad6d997d36edfea65e243cd12ccd01f413549 (diff)

diff --git a/ssh_config.5 b/ssh_config.5 index 7630e7bcb..259a786a1 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.236 2016/07/22 07:00:46 djm Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.237 2016/09/05 14:02:42 djm Exp $
37	.Dd $Mdocdate: July 22 2016 $	37	.Dd $Mdocdate: September 5 2016 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -488,7 +488,7 @@ The default is:
488	chacha20-poly1305@openssh.com,	488	chacha20-poly1305@openssh.com,
489	aes128-ctr,aes192-ctr,aes256-ctr,	489	aes128-ctr,aes192-ctr,aes256-ctr,
490	aes128-gcm@openssh.com,aes256-gcm@openssh.com,	490	aes128-gcm@openssh.com,aes256-gcm@openssh.com,
491	aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc	491	aes128-cbc,aes192-cbc,aes256-cbc
492	.Ed	492	.Ed
493	.Pp	493	.Pp
494	The list of available ciphers may also be obtained using the	494	The list of available ciphers may also be obtained using the