summaryrefslogtreecommitdiff
path: root/package/network/services/dropbear/patches
diff options
context:
space:
mode:
authorMartin Schiller <ms@dev.tdt.de>2017-11-22 13:39:51 +0100
committerHans Dedecker <dedeckeh@gmail.com>2017-12-12 22:24:17 +0100
commit65d62b5f4ffcb481994f6865d0e03d0e9ad58b2b (patch)
treeb5c03d0aa6123bf579676e6c2925bfc500fd67e5 /package/network/services/dropbear/patches
parent575178e4628cf32b97feec66c4a9726b4f30fa88 (diff)
downloadmtk-20170518-65d62b5f4ffcb481994f6865d0e03d0e9ad58b2b.zip
mtk-20170518-65d62b5f4ffcb481994f6865d0e03d0e9ad58b2b.tar.gz
mtk-20170518-65d62b5f4ffcb481994f6865d0e03d0e9ad58b2b.tar.bz2
dropbear: disable MD5 HMAC and switch to sha1 fingerprints
As MD5 is known weak for many years and more and more penetration test tools complain about enabled MD5 HMAC I think it's time to drop it. By disabling the MD5 HMAC support dropbear will also automatically use SHA1 for fingerprints. This shouldn't be a problem too. Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Diffstat (limited to 'package/network/services/dropbear/patches')
-rw-r--r--package/network/services/dropbear/patches/120-openwrt_options.patch6
1 files changed, 4 insertions, 2 deletions
diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch
index b49a95c..7f47a74 100644
--- a/package/network/services/dropbear/patches/120-openwrt_options.patch
+++ b/package/network/services/dropbear/patches/120-openwrt_options.patch
@@ -39,7 +39,7 @@
/* Enable "Counter Mode" for ciphers. This is more secure than normal
* CBC mode against certain attacks. It is recommended for security
-@@ -131,9 +131,9 @@ If you test it please contact the Dropbe
+@@ -131,10 +131,10 @@ If you test it please contact the Dropbe
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
* which are not the standard form. */
#define DROPBEAR_SHA1_HMAC
@@ -47,10 +47,12 @@
+/*#define DROPBEAR_SHA1_96_HMAC*/
#define DROPBEAR_SHA2_256_HMAC
-#define DROPBEAR_SHA2_512_HMAC
+-#define DROPBEAR_MD5_HMAC
+/*#define DROPBEAR_SHA2_512_HMAC*/
- #define DROPBEAR_MD5_HMAC
++/*#define DROPBEAR_MD5_HMAC*/
/* You can also disable integrity. Don't bother disabling this if you're
+ * still using a cipher, it's relatively cheap. If you disable this it's dead
@@ -146,7 +146,7 @@ If you test it please contact the Dropbe
* Removing either of these won't save very much space.
* SSH2 RFC Draft requires dss, recommends rsa */