1From c347ece05a7fdbf50d76cb136b9ed45caed333f6 Mon Sep 17 00:00:00 2001 2From: Joseph Reynolds <joseph.reynolds1@ibm.com> 3Date: Thu, 20 Jun 2019 16:29:15 -0500 4Subject: [PATCH] dropbear: new feature: disable-weak-ciphers 5 6This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers 7in the dropbear ssh server and client since they're considered weak ciphers 8and we want to support the stong algorithms. 9 10Upstream-Status: Inappropriate [configuration] 11Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com> 12 13--- 14 default_options.h | 4 ++-- 15 1 file changed, 2 insertions(+), 2 deletions(-) 16 17diff --git a/default_options.h b/default_options.h 18index 1aa2297..7ff1394 100644 19--- a/default_options.h 20+++ b/default_options.h 21@@ -163,12 +163,12 @@ IMPORTANT: Some options will require "make clean" after changes */ 22 * Small systems should generally include either curve25519 or ecdh for performance. 23 * curve25519 is less widely supported but is faster 24 */ 25-#define DROPBEAR_DH_GROUP14_SHA1 1 26+#define DROPBEAR_DH_GROUP14_SHA1 0 27 #define DROPBEAR_DH_GROUP14_SHA256 1 28 #define DROPBEAR_DH_GROUP16 0 29 #define DROPBEAR_CURVE25519 1 30 #define DROPBEAR_ECDH 1 31-#define DROPBEAR_DH_GROUP1 1 32+#define DROPBEAR_DH_GROUP1 0 33 34 /* When group1 is enabled it will only be allowed by Dropbear client 35 not as a server, due to concerns over its strength. Set to 0 to allow 36