Bug#806962: No supported cipher blowfish breaks systems
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Am Do den 3. Dez 2015 um 16:23 schrieb Colin Watson:
> On Thu, Dec 03, 2015 at 04:14:16PM +0100, Klaus Ethgen wrote:
> > The new version comes without blowfish cipher.
>
> Erm, no it doesn't? Upstream issued a future deprecation notice
> indicating that it will be disabled in future
Well, it is, but read on.
> (http://www.openssh.com/txt/release-7.1) but it hasn't been yet. I just
> diffed 1:6.9p1-3 against 1:7.1p1-1 and there are no changes affecting
> blowfish; furthermore, the 7.1 client still advertises blowfish-cbc.
In earlier versions, blowfish cipher was named "blowfish" not
"blowfish-cbc". So many (as mine) configurations have configured "Cipher
blowfish" (Client). That is breaking. In fact, the solution is
"blowfish" -> "blowfish-cbc" but that has to be done before the upgrade.
After upgrade it might be not possible anymore.
Due to the deprecation note, that is a big issue. I never trust AES from
the fact how it was choosen above twofish. With purging support for
blowfish, that would leave not many trusted alternatives anymore.
Regards
Klaus
- --
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCgAGBQJWYGmgAAoJEKZ8CrGAGfasqnIMAJe2LSINqhi+Ev0xX78rXhJR
MPlVypxkQXbmBm+qzgaxIXMJzaEp8uy0bhs9GpZA5A2E2zd3Ysb7kL7P0u1gx/ls
AkaT/y6A0M8+OyJ4EE8PzR0U/zR5Ciia6p8tjYN+nAjax7pamAlt8P2K6EInUemr
+auw+w3mPvCAS1YiNG4oYoGit8H0Hphl/i8aF9zEJipTlAU8Nwh343fb8cVaJmLT
lfWcljh0e6q4l3rQDlw8PusoePWNJFyHVKYp1xQErxfKMj36a+rEffg27CGhnMo4
T9/koOG1TFFSqgkvwexz1nlQANqbBKfRS2sE6kuOSPYpo7jPvbRhz9JsGX8Dgl4/
/Au+rIYqXnkEZUSNAnRZlHBVUsxuZLYMnIDvLuujSPRyrO15ysMEhnsu/uTmpvSs
cWqmvwTm20B63/s0b4zQuEMWs6CeDhQXIqfoRwqRZb9vp2kvwzA7In7QSPtcfEJk
fmWlHhnj+1mhELt5XyWWEPDIpTDF7dzK3hYWjns3Ig==
=pi4d
-----END PGP SIGNATURE-----
Reply to: