From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-yh0-f43.google.com (mail-yh0-f43.google.com [209.85.213.43]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 2DBAF21F528 for ; Fri, 24 Oct 2014 11:40:56 -0700 (PDT) Received: by mail-yh0-f43.google.com with SMTP id z6so1369180yhz.16 for ; Fri, 24 Oct 2014 11:40:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=DBog/mFxbnyNZdXfu2WH5Lc+O+bLMsz/dZMkIXwP9yk=; b=Eyh3iWesuq8zLEhgvGFG3wKoUxNUf9wZY9O3ve0PnuWMRdeKeAONrvZiPMP11/E23N G8Aj9vBg9pz2P9jclPvG5pXsokKPm3OrImG4XwZEh4fRz0wsy9fwN6Vb2PxvljEY50ww uZPLU0lVQK+Pa3tdhCElKQlATcFNWHLqovfrlswJ4qEYSijUKTUV4leCcbIzkmdtB6aj eRhCQVcoLzG4iFfk5F2BdkYkoX8Gd9zIgA+KSiRjtrhBuaru1tj1fkX117S39i81o71b 1fSiq8h4NqE0g/IL0x/Ahge9+taQ05RzcG/0UygrzZ0WtRUxQHGbM1H90CDJYMaPwim/ q5YA== X-Gm-Message-State: ALoCoQmO8PZ+tdhOg2L6UVKzB0IhHpw+XLfGYU+sJJ5irICWvjOh3PtaFfntzivQGHzVZ83LpAg8 MIME-Version: 1.0 X-Received: by 10.236.20.226 with SMTP id p62mr6686745yhp.97.1414176055358; Fri, 24 Oct 2014 11:40:55 -0700 (PDT) Received: by 10.170.99.84 with HTTP; Fri, 24 Oct 2014 11:40:55 -0700 (PDT) X-Originating-IP: [85.221.151.252] In-Reply-To: <4186.1414173172@sandelman.ca> References: <4186.1414173172@sandelman.ca> Date: Fri, 24 Oct 2014 20:40:55 +0200 Message-ID: From: Maciej Soltysiak To: Michael Richardson Content-Type: text/plain; charset=UTF-8 Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] Available MACs in dropbear X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2014 18:41:25 -0000 On Fri, Oct 24, 2014 at 7:52 PM, Michael Richardson wrote: > > The reason why it hurts me is that I have servers configured according > > to bettercrypto.org and I can't connect from cero (rare occasions, but > > 1) MD5 != HMAC-MD5. That I didn't know, thanks Michael. For some reason bettercrypto.org people make sure not to use hmac-md5 by suggesting the following: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 I believe I'd be able to connect to if SHA256 or SHA512 was enabled here: https://github.com/dtaht/cerowrt-3.10/blob/master/package/network/services/dropbear/patches/120-openwrt_options.patch > 2) SSHv2 is not SSL, and POODLE would be impossible against SSHv2 (or IPsec > for that matter). That, I'm aware of, yes. Best regards, Maciej