This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers in the dropbear ssh server and client since they're considered weak ciphers and we want to support the stong algorithms. Upstream-Status: Inappropriate [configuration] Signed-off-by: Joseph Reynolds Index: dropbear-2019.78/default_options.h =================================================================== --- dropbear-2019.78.orig/default_options.h +++ dropbear-2019.78/default_options.h @@ -91,7 +91,7 @@ IMPORTANT: Some options will require "ma /* Enable CBC mode for ciphers. This has security issues though * is the most compatible with older SSH implementations */ -#define DROPBEAR_ENABLE_CBC_MODE 1 +#define DROPBEAR_ENABLE_CBC_MODE 0 /* Enable "Counter Mode" for ciphers. This is more secure than * CBC mode against certain attacks. It is recommended for security @@ -101,7 +101,7 @@ IMPORTANT: Some options will require "ma /* Message integrity. sha2-256 is recommended as a default, sha1 for compatibility */ #define DROPBEAR_SHA1_HMAC 1 -#define DROPBEAR_SHA1_96_HMAC 1 +#define DROPBEAR_SHA1_96_HMAC 0 #define DROPBEAR_SHA2_256_HMAC 1 /* Hostkey/public key algorithms - at least one required, these are used @@ -149,12 +149,12 @@ IMPORTANT: Some options will require "ma * Small systems should generally include either curve25519 or ecdh for performance. * curve25519 is less widely supported but is faster */ -#define DROPBEAR_DH_GROUP14_SHA1 1 +#define DROPBEAR_DH_GROUP14_SHA1 0 #define DROPBEAR_DH_GROUP14_SHA256 1 #define DROPBEAR_DH_GROUP16 0 #define DROPBEAR_CURVE25519 1 #define DROPBEAR_ECDH 1 -#define DROPBEAR_DH_GROUP1 1 +#define DROPBEAR_DH_GROUP1 0 /* When group1 is enabled it will only be allowed by Dropbear client not as a server, due to concerns over its strength. Set to 0 to allow