Remove AES-CBC ciphers from default server and client lists.
ClosedPublic
Actions

Authored by emaste on Jul 27 2020, 3:54 PM.

Details

Reviewers

des
rgrimes
markm

Group Reviewers

secteam
manpages

Commits

rS363627: ssh: Remove AES-CBC ciphers from default server and client lists

Summary

For PR207679 we moved AES-CBC ciphers to the default list on the server for POLA/backwards compatibility reasons. Several years later, undo this in advance of FreeBSD 13.

OpenSSH 7.9p1 removed aes-cbc from the default client list.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

emaste requested review of this revision.Jul 27 2020, 3:54 PM

emaste created this revision.

emaste added inline comments.Jul 27 2020, 4:00 PM

crypto/openssh/myproposal.h
128 ↗	(On Diff #75005)	These three originated in KEX_CLIENT_ENCRYPT with rS296619 but the history is a bit of a mess. Revisit the client list after.

cbc ciphers removed from client list in:

From 70c1218fc45757a030285051eb4d209403f54785 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 7 May 2017 23:13:42 +0000
Subject: [PATCH 66/68] upstream commit

Don't offer CBC ciphers by default in the client. ok
markus@

Upstream-ID: 94c9ce8d0d1a085052e11c7f3307950fdc0901ef
---
 myproposal.h | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/myproposal.h b/myproposal.h
index 072e36ec..c255147a 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.54 2016/09/28 16:33:07 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.55 2017/05/07 23:13:42 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -121,8 +121,7 @@
        "aes128-ctr,aes192-ctr,aes256-ctr" \
        AESGCM_CIPHER_MODES
 
-#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
-       "aes128-cbc,aes192-cbc,aes256-cbc"
+#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
 
 #define KEX_SERVER_MAC \
        "umac-64-etm@openssh.com," \
-- 
2.27.0

emaste updated this revision to Diff 75006.Jul 27 2020, 4:07 PM

emaste retitled this revision from Revert r296634 "Re-add AES-CBC ciphers to the default cipher list on the server." to Remove AES-CBC ciphers from default server and client lists..

emaste edited the summary of this revision. (Show Details)

swills added a subscriber: swills.Jul 27 2020, 4:56 PM

Could we please get stances in /etc/sshd/ssh{,d}_config commented out that show how to enable these if they are needed?

rgrimes accepted this revision.Jul 27 2020, 5:32 PM

This revision is now accepted and ready to land.Jul 27 2020, 5:32 PM

In D25833#572248, @rgrimes wrote:

Could we please get stances in /etc/sshd/ssh{,d}_config commented out that show how to enable these if they are needed?

For example,

Ciphers +aes128-cbc,aes192-cbc,aes256-cbc

I'd rather not deviate from upstream, but if we must I'd rather do so in sshd_config, not in the source.

markm accepted this revision.Jul 27 2020, 7:30 PM

Any idea why these were removed? There aren’t known attacks on correctly implemented CBC modes generally. Maybe it is specific to the openssh context. So, I am happy to defer to upstream defaults here.

In D25833#572370, @cem wrote:

Any idea why these were removed? There aren’t known attacks on correctly implemented CBC modes generally. Maybe it is specific to the openssh context. So, I am happy to defer to upstream defaults here.

https://www.kb.cert.org/vuls/id/958563 :

If exploited, this attack can potentially allow an attacker to recover up to 32 bits of plaintext from an arbitrary block of ciphertext from a connection secured using the SSH protocol in the standard configuration. If OpenSSH is used in the standard configuration, then the attacker's success probability for recovering 32 bits of plaintext is 2^{-18}. A variant of the attack against OpenSSH in the standard configuration can verifiably recover 14 bits of plaintext with probability 2^{-14}. The success probability of the attack for other implementations of SSH is not known.

Closed by commit rS363627: ssh: Remove AES-CBC ciphers from default server and client lists (authored by emaste). · Explain WhyJul 28 2020, 12:24 AM

This revision was automatically updated to reflect the committed changes.

emaste added a commit: rS363627: ssh: Remove AES-CBC ciphers from default server and client lists.

Herald added a reviewer: manpages. · View Herald TranscriptJul 28 2020, 12:24 AM

Herald added a subscriber: imp. · View Herald Transcript

In D25833#572269, @emaste wrote:
In D25833#572248, @rgrimes wrote:

Could we please get stances in /etc/sshd/ssh{,d}_config commented out that show how to enable these if they are needed?

For example,
Ciphers +aes128-cbc,aes192-cbc,aes256-cbc
I'd rather not deviate from upstream, but if we must I'd rather do so in sshd_config, not in the source.

Yes, as your example shows if thats what would allow a person to re-enable these should they be needed, and I am more concerned on the client side than the server, aka it is a royal pain to ssh into an old box if you do not remeber what it is you need to put on the ssh command line to make it work with boxes that use older crypto. Maybe this is not the same issue I am thinking of, but I often have to add -oHostKeyAlgorithms=+ssh-dss to the ssh command to access old boxes, and there is a way to add this in /etc/ssh/ssh_config as well. And again, I am just asking for COMMENTS showing what these values are, and agree absolutely no need to do this in the source code.