[Buildroot] [PATCH 4/5] dropbear: add option to disable CBC mode ciphers
Thomas De Schampheleire
thomas.de_schampheleire at nokia.com
Wed Jul 4 08:47:18 UTC 2018
Hi Baruch,
On Wed, Jul 04, 2018 at 10:30:58AM +0300, Baruch Siach wrote:
> Hi Thomas,
>
> On Wed, Jul 04, 2018 at 09:07:38AM +0200, Thomas De Schampheleire wrote:
> > CBC mode ciphers are considered insecure. Add an option to disable it.
>
> We have a patch from Stefan Sørensen to disable all weak algorithms by
> default:
>
> http://patchwork.ozlabs.org/patch/938595/
>
> I prefer Stefan's patch over this and the next patch.
>
> Stefan's patch doesn't deal with the MD5 HMAC as the next patch does. But I
> find it highly unlikely that upstream would enable MD5 by default ever again.
> Upstream commit 34ee32607598 adds this code in sysoptions.h:
>
> /* might be needed for compatibility with very old implementations */
> #ifndef DROPBEAR_MD5_HMAC
> #define DROPBEAR_MD5_HMAC 0
> #endif
>
> default_options.h doesn't mention MD5 at all.
Thanks for this info. I'm perfectly fine with Stefan's patch instead of these
two.
/Thomas
More information about the buildroot
mailing list