[openssh-commits] [openssh] 02/08: upstream commit

git+noreply at mindrot.org git+noreply at mindrot.org
Mon Sep 12 13:49:46 AEST 2016


This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit da95318dbedbaa1335323dba370975c2f251afd8
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Sep 5 14:02:42 2016 +0000

    upstream commit
    
    remove 3des-cbc from the client's default proposal;
    64-bit block ciphers are not safe in 2016 and we don't want to wait until
    attacks like sweet32 are extended to SSH.
    
    As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may
    cause problems connecting to older devices using the defaults, but
    it's highly likely that such devices already need explicit
    configuration for KEX and hostkeys anyway.
    
    ok deraadt, markus, dtucker
    
    Upstream-ID: a505dfe65c6733af0f751b64cbc4bb7e0761bc2f
---
 myproposal.h | 4 ++--
 ssh_config.5 | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/myproposal.h b/myproposal.h
index 5970901..5c088e5 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.50 2016/02/09 05:30:04 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.52 2016/09/05 14:02:42 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -120,7 +120,7 @@
 	AESGCM_CIPHER_MODES
 
 #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
-	"aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc"
+	"aes128-cbc,aes192-cbc,aes256-cbc"
 
 #define KEX_SERVER_MAC \
 	"umac-64-etm at openssh.com," \
diff --git a/ssh_config.5 b/ssh_config.5
index 7630e7b..259a786 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.236 2016/07/22 07:00:46 djm Exp $
-.Dd $Mdocdate: July 22 2016 $
+.\" $OpenBSD: ssh_config.5,v 1.237 2016/09/05 14:02:42 djm Exp $
+.Dd $Mdocdate: September 5 2016 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -488,7 +488,7 @@ The default is:
 chacha20-poly1305 at openssh.com,
 aes128-ctr,aes192-ctr,aes256-ctr,
 aes128-gcm at openssh.com,aes256-gcm at openssh.com,
-aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
+aes128-cbc,aes192-cbc,aes256-cbc
 .Ed
 .Pp
 The list of available ciphers may also be obtained using the

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list