aboutsummaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorDag-Erling Smørgrav <des@FreeBSD.org>2016-03-11 00:23:10 +0000
committerDag-Erling Smørgrav <des@FreeBSD.org>2016-03-11 00:23:10 +0000
commitc3c6c935fca17c15194dafc56ee3bf4ef9ecd35e (patch)
tree98f72e25491cb0731e1b80367228fc8b1ab82ea8 /crypto
parentacc1a9ef8333c798c210fa94be6af4d5fe2dd794 (diff)
downloadsrc-c3c6c935fca17c15194dafc56ee3bf4ef9ecd35e.tar.gz
src-c3c6c935fca17c15194dafc56ee3bf4ef9ecd35e.zip
Re-add AES-CBC ciphers to the default cipher list on the server.
PR: 207679
Notes
Notes: svn path=/head/; revision=296634
Diffstat (limited to 'crypto')
-rw-r--r--crypto/openssh/FREEBSD-upgrade8
-rw-r--r--crypto/openssh/myproposal.h5
-rw-r--r--crypto/openssh/sshd_config.53
3 files changed, 12 insertions, 4 deletions
diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade
index 7acd51fbe663..43e2a743537e 100644
--- a/crypto/openssh/FREEBSD-upgrade
+++ b/crypto/openssh/FREEBSD-upgrade
@@ -1,4 +1,3 @@
-
FreeBSD maintainer's guide to OpenSSH-portable
==============================================
@@ -166,6 +165,13 @@
ignore HPN-related configuration options to avoid breaking existing
configurations.
+A) AES-CBC
+
+ The AES-CBC ciphers were removed from the server-side proposal list
+ in 6.7p1 due to theoretical weaknesses and the availability of
+ superior ciphers (including AES-CTR and AES-GCM). We have re-added
+ them for compatibility with third-party clients.
+
This port was brought to you by (in no particular order) DARPA, NAI
diff --git a/crypto/openssh/myproposal.h b/crypto/openssh/myproposal.h
index 7a8b43228175..d286691ebb21 100644
--- a/crypto/openssh/myproposal.h
+++ b/crypto/openssh/myproposal.h
@@ -113,10 +113,11 @@
#define KEX_SERVER_ENCRYPT \
"chacha20-poly1305@openssh.com," \
"aes128-ctr,aes192-ctr,aes256-ctr" \
- AESGCM_CIPHER_MODES
+ AESGCM_CIPHER_MODES \
+ ",aes128-cbc,aes192-cbc,aes256-cbc"
#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
- "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc"
+ "3des-cbc"
#define KEX_SERVER_MAC \
"umac-64-etm@openssh.com," \
diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
index baed664fc1f8..cc43aad6c86a 100644
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@@ -482,7 +482,8 @@ The default is:
.Bd -literal -offset indent
chacha20-poly1305@openssh.com,
aes128-ctr,aes192-ctr,aes256-ctr,
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
+aes128-gcm@openssh.com,aes256-gcm@openssh.com,
+aes128-cbc,aes192-cbc,aes256-cbc
.Ed
.Pp
The list of available ciphers may also be obtained using the