[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#806962: No supported cipher blowfish breaks systems



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Am Do den  3. Dez 2015 um 16:23 schrieb Colin Watson:
> On Thu, Dec 03, 2015 at 04:14:16PM +0100, Klaus Ethgen wrote:
> > The new version comes without blowfish cipher.
> 
> Erm, no it doesn't?  Upstream issued a future deprecation notice
> indicating that it will be disabled in future

Well, it is, but read on.

> (http://www.openssh.com/txt/release-7.1) but it hasn't been yet.  I just
> diffed 1:6.9p1-3 against 1:7.1p1-1 and there are no changes affecting
> blowfish; furthermore, the 7.1 client still advertises blowfish-cbc.

In earlier versions, blowfish cipher was named "blowfish" not
"blowfish-cbc". So many (as mine) configurations have configured "Cipher
blowfish" (Client). That is breaking. In fact, the solution is
"blowfish" -> "blowfish-cbc" but that has to be done before the upgrade.
After upgrade it might be not possible anymore.

Due to the deprecation note, that is a big issue. I never trust AES from
the fact how it was choosen above twofish. With purging support for
blowfish, that would leave not many trusted alternatives anymore.

Regards
   Klaus
- -- 
Klaus Ethgen                              http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16   Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGcBAEBCgAGBQJWYGmgAAoJEKZ8CrGAGfasqnIMAJe2LSINqhi+Ev0xX78rXhJR
MPlVypxkQXbmBm+qzgaxIXMJzaEp8uy0bhs9GpZA5A2E2zd3Ysb7kL7P0u1gx/ls
AkaT/y6A0M8+OyJ4EE8PzR0U/zR5Ciia6p8tjYN+nAjax7pamAlt8P2K6EInUemr
+auw+w3mPvCAS1YiNG4oYoGit8H0Hphl/i8aF9zEJipTlAU8Nwh343fb8cVaJmLT
lfWcljh0e6q4l3rQDlw8PusoePWNJFyHVKYp1xQErxfKMj36a+rEffg27CGhnMo4
T9/koOG1TFFSqgkvwexz1nlQANqbBKfRS2sE6kuOSPYpo7jPvbRhz9JsGX8Dgl4/
/Au+rIYqXnkEZUSNAnRZlHBVUsxuZLYMnIDvLuujSPRyrO15ysMEhnsu/uTmpvSs
cWqmvwTm20B63/s0b4zQuEMWs6CeDhQXIqfoRwqRZb9vp2kvwzA7In7QSPtcfEJk
fmWlHhnj+1mhELt5XyWWEPDIpTDF7dzK3hYWjns3Ig==
=pi4d
-----END PGP SIGNATURE-----


Reply to: