[Buildroot] [PATCH 4/5] dropbear: add option to disable CBC mode ciphers

Thomas De Schampheleire thomas.de_schampheleire at nokia.com
Wed Jul 4 08:47:18 UTC 2018


Hi Baruch,

On Wed, Jul 04, 2018 at 10:30:58AM +0300, Baruch Siach wrote:
> Hi Thomas,
> 
> On Wed, Jul 04, 2018 at 09:07:38AM +0200, Thomas De Schampheleire wrote:
> > CBC mode ciphers are considered insecure. Add an option to disable it.
> 
> We have a patch from Stefan Sørensen to disable all weak algorithms by 
> default:
> 
>   http://patchwork.ozlabs.org/patch/938595/
> 
> I prefer Stefan's patch over this and the next patch.
> 
> Stefan's patch doesn't deal with the MD5 HMAC as the next patch does. But I 
> find it highly unlikely that upstream would enable MD5 by default ever again. 
> Upstream commit 34ee32607598 adds this code in sysoptions.h:
> 
> /* might be needed for compatibility with very old implementations */
> #ifndef DROPBEAR_MD5_HMAC
> #define DROPBEAR_MD5_HMAC 0
> #endif
> 
> default_options.h doesn't mention MD5 at all.


Thanks for this info. I'm perfectly fine with Stefan's patch instead of these
two.

/Thomas


More information about the buildroot mailing list