From: Peter Korsgaard <peter@korsgaard.com>
To: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Markus Mayer <mmayer@broadcom.com>,
Markus Mayer via buildroot <buildroot@buildroot.org>
Subject: Re: [Buildroot] [PATCH] package/dropbear: provide config option to turn off SHA1 for RSA
Date: Sun, 18 Aug 2024 22:48:55 +0200 [thread overview]
Message-ID: <87le0th808.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20240817121031.55afa6c1@windsurf> (Thomas Petazzoni's message of "Sat, 17 Aug 2024 12:10:31 +0200")
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:
Hi,
> Inverted logic options are always a bit annoying. Wouldn't it be better
> to do:
> config BR2_PACKAGE_DROPBEAR_RSA_SHA1
> bool "SHA1 hashing for RSA"
> default y
> help
> SHA1 is no longer considered secure, so users may want to
> disable it, but the lack of SHA1 support for RSA might
> preclude older clients from connecting
> This option defaults to enabled to preserve backward
> compatibility.
> Peter, what do you think? Or should we break backward compatibility for
> the sake of security, and leave SHA1 support disabled by default?
I think it makes most sense to do it like you suggest, but drop the
default y so it behaves similar to BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO.
Talking about _LEGACY_CRYPTO, I just noticed that dropbear 2022.83 has a
bug, so it unconditionally enables support for the legacy DSS
protocol (and 2024.84 fails to build without RSA SHA1). I'll bump
2024.02.x to dropbear 2024.85 to fix it.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2024-08-18 20:49 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-17 0:00 [Buildroot] [PATCH] package/dropbear: provide config option to turn off SHA1 for RSA Markus Mayer via buildroot
2024-08-17 10:10 ` Thomas Petazzoni via buildroot
2024-08-17 19:49 ` Markus Mayer via buildroot
2024-08-18 20:48 ` Peter Korsgaard [this message]
2024-08-18 22:31 ` Markus Mayer via buildroot
2024-08-19 7:11 ` Peter Korsgaard
2024-08-20 20:27 ` Markus Mayer via buildroot
2025-05-13 11:08 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87le0th808.fsf@dell.be.48ers.dk \
--to=peter@korsgaard.com \
--cc=buildroot@buildroot.org \
--cc=mmayer@broadcom.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.