On 07.08.2016 20:43, Andrey Chernov wrote: > On 07.08.2016 20:37, Slawa Olhovchenkov wrote: >> On Sun, Aug 07, 2016 at 08:34:55PM +0300, Andrey Chernov wrote: >> >>> On 07.08.2016 20:31, Andrey Chernov wrote: >>>> On 07.08.2016 19:14, Bruce Simpson wrote: >>>>> On 07/08/16 15:40, Warner Losh wrote: >>>>>> That’s a cop-out answer. We, as a project, need to articulate to our >>>>>> users, whom we care about, why this rather obnoxious hit to usability >>>>>> was taken. The answer must be more complete than “We just disabled >>>>>> it because upstream disabled it for reasons we’re too lazy to explain >>>>>> or document how to work around" >>>>> >>>>> Alcatel-Lucent OmniSwitch 6800 login broken (pfSense 2.3.2 which >>>>> accepted the upstream change, workaround no-go) >>>>> >>>>> [2.3.2-RELEASE][r...@gw.lab]/root: ssh -l admin >>>>> -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.XXX >>>>> Fssh_ssh_dispatch_run_fatal: Connection to 192.168.1.XXX port 22: DH GEX >>>>> group out of range >>>>> >>>> >>>> DH prime size must be at least 2048, openssh now refuse lower values. >>>> Commonly used DH size 1024 can be easily broken. See https://weakdh.org >>>> >>> diffie-hellman-group1-sha1 use DH 1024 and insecure sha1 both. >> >> IMHO, this is wrong choise: totaly lost of control now vs teoretical >> compromise of control in the future. > > Please note that it was not my choice and I can't answer what to do with > non-upgradeable hardware question, address it to the author. I just tell > you _why_ it happens. >
BTW, compromise is practical enough. From https://weakdh.org/ "A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break." _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"