summaryrefslogtreecommitdiff
path: root/myproposal.h
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2016-09-05 14:02:42 +0000
committerDarren Tucker <dtucker@zip.com.au>2016-09-12 13:39:30 +1000
commitda95318dbedbaa1335323dba370975c2f251afd8 (patch)
tree6c7802974f2fb4f63216e6665b12d0b5f34f641b /myproposal.h
parentb33ad6d997d36edfea65e243cd12ccd01f413549 (diff)
upstream commit
remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH. As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway. ok deraadt, markus, dtucker Upstream-ID: a505dfe65c6733af0f751b64cbc4bb7e0761bc2f
Diffstat (limited to 'myproposal.h')
-rw-r--r--myproposal.h4
1 files changed, 2 insertions, 2 deletions
diff --git a/myproposal.h b/myproposal.h
index 59709016..5c088e5e 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.50 2016/02/09 05:30:04 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.52 2016/09/05 14:02:42 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -120,7 +120,7 @@
AESGCM_CIPHER_MODES
#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
- "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc"
+ "aes128-cbc,aes192-cbc,aes256-cbc"
#define KEX_SERVER_MAC \
"umac-64-etm@openssh.com," \