On Tue, Dec 23, 2008, Christoph Schug wrote:
> Ralf S. Engelschall wrote:
>> On Mon, Dec 22, 2008, OpenPKG Project Robot wrote:
>>
>>> The following OpenPKG Contribution Area operation occurred.
>>> uploaded DIFF file "openssh.diff" accepted -- moved to contrib area.
>>> No action is required on your part.
>>
>> I've committed a slight variation of this patch now.
>
> Hmm, but I think this way it does not make too much sense as you
> included a more or less complete list of available ciphers. As far as
> I know the server picks one cipher based on the client's perference.
> The client can choose from the list offered by the server and might
> potentially prefer a cipher which might be insecure. IIRC the order
> within the list of ciphers on the server is not relevant. So the idea
> was to remove any potentially insecure ciphers.
Well, as the advisory states, the whole impact of the vulnerability is
still somewhat unclear and the suggested reduction of the cipher suite
is OK to be safe in advance on _this_ vulnerability, but OTOH it might
have other drawbacks. So, I don't want to rush as long as the upstream
vendors make a more clear and definite statement.
Instead, I think the reduction to "Protocol 2" only by default on the
server and the _addition_ of the CTR-mode ciphers is a reasonable thing
we should do and hence I've applied this. On the client side I want to
be not too restrictive by default at this time and on the server-side
we need more consideration before we should reduce the accepted cipher
suites such massively.
Ralf S. Engelschall
r...@engelschall.com
www.engelschall.com
______________________________________________________________________
OpenPKG http://openpkg.org
Developer Communication List openpkg-dev@openpkg.org
