Page MenuHomeFreeBSD

Remove AES-CBC ciphers from default server and client lists.
ClosedPublic

Authored by emaste on Jul 27 2020, 3:54 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Jan 3, 8:28 AM
Unknown Object (File)
Fri, Jan 3, 8:12 AM
Unknown Object (File)
Wed, Dec 25, 1:04 AM
Unknown Object (File)
Mon, Dec 23, 3:26 PM
Unknown Object (File)
Sun, Dec 22, 11:51 AM
Unknown Object (File)
Sat, Dec 14, 2:12 PM
Unknown Object (File)
Mon, Dec 9, 5:09 PM
Unknown Object (File)
Oct 30 2024, 2:53 PM

Details

Summary

For PR207679 we moved AES-CBC ciphers to the default list on the server for POLA/backwards compatibility reasons. Several years later, undo this in advance of FreeBSD 13.

OpenSSH 7.9p1 removed aes-cbc from the default client list.

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

emaste created this revision.
crypto/openssh/myproposal.h
128

These three originated in KEX_CLIENT_ENCRYPT with rS296619 but the history is a bit of a mess. Revisit the client list after.

cbc ciphers removed from client list in:

From 70c1218fc45757a030285051eb4d209403f54785 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 7 May 2017 23:13:42 +0000
Subject: [PATCH 66/68] upstream commit

Don't offer CBC ciphers by default in the client. ok
markus@

Upstream-ID: 94c9ce8d0d1a085052e11c7f3307950fdc0901ef
---
 myproposal.h | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/myproposal.h b/myproposal.h
index 072e36ec..c255147a 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.54 2016/09/28 16:33:07 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.55 2017/05/07 23:13:42 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -121,8 +121,7 @@
        "aes128-ctr,aes192-ctr,aes256-ctr" \
        AESGCM_CIPHER_MODES
 
-#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
-       "aes128-cbc,aes192-cbc,aes256-cbc"
+#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
 
 #define KEX_SERVER_MAC \
        "umac-64-etm@openssh.com," \
-- 
2.27.0
emaste retitled this revision from Revert r296634 "Re-add AES-CBC ciphers to the default cipher list on the server." to Remove AES-CBC ciphers from default server and client lists..
emaste edited the summary of this revision. (Show Details)

Could we please get stances in /etc/sshd/ssh{,d}_config commented out that show how to enable these if they are needed?

This revision is now accepted and ready to land.Jul 27 2020, 5:32 PM

Could we please get stances in /etc/sshd/ssh{,d}_config commented out that show how to enable these if they are needed?

For example,

Ciphers +aes128-cbc,aes192-cbc,aes256-cbc

I'd rather not deviate from upstream, but if we must I'd rather do so in sshd_config, not in the source.

Any idea why these were removed? There aren’t known attacks on correctly implemented CBC modes generally. Maybe it is specific to the openssh context. So, I am happy to defer to upstream defaults here.

In D25833#572370, @cem wrote:

Any idea why these were removed? There aren’t known attacks on correctly implemented CBC modes generally. Maybe it is specific to the openssh context. So, I am happy to defer to upstream defaults here.

https://www.kb.cert.org/vuls/id/958563 :

If exploited, this attack can potentially allow an attacker to recover up to 32 bits of plaintext from an arbitrary block of ciphertext from a connection secured using the SSH protocol in the standard configuration. If OpenSSH is used in the standard configuration, then the attacker's success probability for recovering 32 bits of plaintext is 2^{-18}. A variant of the attack against OpenSSH in the standard configuration can verifiably recover 14 bits of plaintext with probability 2^{-14}. The success probability of the attack for other implementations of SSH is not known.

Could we please get stances in /etc/sshd/ssh{,d}_config commented out that show how to enable these if they are needed?

For example,

Ciphers +aes128-cbc,aes192-cbc,aes256-cbc

I'd rather not deviate from upstream, but if we must I'd rather do so in sshd_config, not in the source.

Yes, as your example shows if thats what would allow a person to re-enable these should they be needed, and I am more concerned on the client side than the server, aka it is a royal pain to ssh into an old box if you do not remeber what it is you need to put on the ssh command line to make it work with boxes that use older crypto. Maybe this is not the same issue I am thinking of, but I often have to add -oHostKeyAlgorithms=+ssh-dss to the ssh command to access old boxes, and there is a way to add this in /etc/ssh/ssh_config as well. And again, I am just asking for COMMENTS showing what these values are, and agree absolutely no need to do this in the source code.