Page MenuHomePhabricator

Disable *-cbc ciphers by default
Closed, ResolvedPublic


OpenSSH disabled CBC ciphers in servers in 2014 and in clients in 2017. Even though the attack is quite much theoretical, people do not tend to be happy to see them by default.

Given that we have ctr modes for years and now even faster methods using chacha or using aes-gcm, there is no reason to keep them enabled by default.

Revisions and Commits

Event Timeline

Jakuje created this task.Jul 1 2020, 6:44 PM
asn added a subscriber: asn.Jul 2 2020, 12:10 PM

I agree.