[yocto-security] Default dropbear cipers should disallow SHA1
Joseph Reynolds
jrey at linux.ibm.com
Tue May 14 08:41:04 PDT 2019
On 2019-05-11 06:02, richard.purdie at linuxfoundation.org wrote:
> On Wed, 2019-05-08 at 13:18 -0500, Joseph Reynolds wrote:
>> Richard and Bernhard,
>>
>> Thanks for your response. I am glad we are having this discussion.
>>
>>
>> To be clear about my purpose:
>> The OpenBMC project has decided to remove all uses of DH group1 and
>> SHA1
>> in KEX and MAC and encryption ciphers because we have security
>> conscious
>> users. My question is if (a) OpenBMC carries that patch, or (b)
>> Yocto/poky or dropbear carries the patch (which means OpenBMC gets
>> that
>> change from its upstream projects). I just want that answer so I
>> know
>> where to target this patch (and I understand it's a complicated
>> question).
>
> I was asking some questions as we need data to make this decision. I
> think right now the approach which would work best for everyone would
> be to add the patch to OE-Core but making the configuration conditional
> on a PACKAGECONFIG to control it. We may or may not decide to do this
> by default, that discussion needs to happen on the OE-Core mailing list
> through normal patch review.
>
> Does that give us a way forward?
That works for me and sounds like the right approach. To clarify: The
dropbear package would have a new PACKAGECONFIG feature like
"disable-weak-ciphers" which, when enabled, would patch dropbear's
config file.
Who wants to make the patch? :-)
FYA, my timeline for this is early July 2019 the OpenBMC project
branches its 2.7 release. At that time, we would pick up either this
config feature, or (if that feature is not ready) do our own patch.
- Joseph
> Cheers,
>
> Richard
>
>
>
> _______________________________________________
> yocto-security mailing list
> yocto-security at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto-security
More information about the yocto-security
mailing list