From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: Markus Mayer via buildroot <buildroot@buildroot.org>
Cc: Markus Mayer <mmayer@broadcom.com>
Subject: Re: [Buildroot] [PATCH] package/dropbear: provide config option to turn off SHA1 for RSA
Date: Sat, 17 Aug 2024 12:10:31 +0200 [thread overview]
Message-ID: <20240817121031.55afa6c1@windsurf> (raw)
In-Reply-To: <20240817000027.654079-1-mmayer@broadcom.com>
Hello,
+Peter in Cc.
On Fri, 16 Aug 2024 17:00:26 -0700
Markus Mayer via buildroot <buildroot@buildroot.org> wrote:
> diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
> index 207c1f561700..099f61535aa2 100644
> --- a/package/dropbear/Config.in
> +++ b/package/dropbear/Config.in
> @@ -67,6 +67,12 @@ config BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO
> DSA public keys
> Diffie-Hellman Group1 key exchange
>
> +config BR2_PACKAGE_DROPBEAR_DISABLE_RSA_SHA1
> + bool "disable SHA1 hashing for RSA"
> + help
> + SHA1 is no longer considered secure. Users may want to disable
> + it. However, this may preclude older clients from connecting.
Inverted logic options are always a bit annoying. Wouldn't it be better
to do:
config BR2_PACKAGE_DROPBEAR_RSA_SHA1
bool "SHA1 hashing for RSA"
default y
help
SHA1 is no longer considered secure, so users may want to
disable it, but the lack of SHA1 support for RSA might
preclude older clients from connecting
This option defaults to enabled to preserve backward
compatibility.
Peter, what do you think? Or should we break backward compatibility for
the sake of security, and leave SHA1 support disabled by default?
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2024-08-17 10:10 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-17 0:00 [Buildroot] [PATCH] package/dropbear: provide config option to turn off SHA1 for RSA Markus Mayer via buildroot
2024-08-17 10:10 ` Thomas Petazzoni via buildroot [this message]
2024-08-17 19:49 ` Markus Mayer via buildroot
2024-08-18 20:48 ` Peter Korsgaard
2024-08-18 22:31 ` Markus Mayer via buildroot
2024-08-19 7:11 ` Peter Korsgaard
2024-08-20 20:27 ` Markus Mayer via buildroot
2025-05-13 11:08 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240817121031.55afa6c1@windsurf \
--to=buildroot@buildroot.org \
--cc=mmayer@broadcom.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox