From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mail.kamstrup.com ([93.167.225.188]) by metis.ext.pengutronix.de with esmtp (Exim 4.72) (envelope-from ) id 1YOSPJ-0006gO-4S for ptxdist@pengutronix.de; Thu, 19 Feb 2015 15:48:49 +0100 From: Bruno Thomsen Date: Thu, 19 Feb 2015 14:48:41 +0000 Message-ID: <915054555B5659448ACF8A70E114824D01984DDA94@Exchange2010.kamstrup.dk> References: <1424101629-16021-1-git-send-email-bth@kamstrup.com> <20150219140925.GL30223@pengutronix.de> In-Reply-To: <20150219140925.GL30223@pengutronix.de> Content-Language: en-US MIME-Version: 1.0 Subject: Re: [ptxdist] [PATCH] dropbear: version bump 2014.65 -> 2015.67 Reply-To: ptxdist@pengutronix.de List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ptxdist-bounces@pengutronix.de Errors-To: ptxdist-bounces@pengutronix.de To: "ptxdist@pengutronix.de" > > +config DROPBEAR_CBC_CIPHERS > > + bool > > + prompt "CBC mode ciphers" > > + default y > > + help > > + Enable CBC mode for ciphers. This has security issues though > > + is the most compatible with older SSH implementations. > > In that case, shouldn't this be off by default? Those that still need it can enable it. I was a bit in doubt about ptxdist default policy was to be fairly secure out-of-box or compatible with old software/equipment. I'm all in for pushing a strong default security configuration :) Bruno -- ptxdist mailing list ptxdist@pengutronix.de