Dropbear has sha1 as the first on its priority list. You can change the order of the options in common-algo.c https://secure.ucc.asn.au/hg/dropbear/file/tip/common-algo.c#l185
I'll change it so that sha1 has lower priority for a future release. Currently I don't think there is any security problem with sha1 as a hmac? Cheers, Matt > On Thu 11/4/2019, at 12:11 pm, Chahar, Rohini <rohini.cha...@netscout.com> > wrote: > > Hi Matt, > > Please find my responses below. > > Regards, > Rohini > > From: Matt Johnston <m...@ucc.asn.au <mailto:m...@ucc.asn.au>> > Sent: 10 April 2019 18:39 > To: Chahar, Rohini <rohini.cha...@netscout.com > <mailto:rohini.cha...@netscout.com>> > Cc: dropbear@ucc.asn.au <mailto:dropbear@ucc.asn.au> > Subject: Re: Dropbear 2018.76 when behaving as client sending sha1 as mac > > [EXTERNAL EMAIL] > Hi Rohini, > > I'm not entirely clear about the problem - is the conneciton failing or is it > just selecting hmac-sha2-sha1 which you don't want? > ROHINI >> Dropbear is selecting sha1 and sha2 on its own. My understanding > was first sha2 is tried and when the server do not supports it them dropbear > move to sha1 but it is not happening. When sending request to server it is > sending sha1 only. In default_options.h file comment also says “/* Message > integrity. sha2-256 is recommended as a default, sha1 for compatibility */” > > The algorithm chosen will be the first one in the client's list that is also > in the server's list. When you do the "copy to the server" is it dropbear as > a client that is sending hmac-sha1? Was that compiled with sha2 enabled in > the options? > ROHINI >> Yes when I am doing copy to server dropbear is selecting sha1. Yes > sha2 is enabled in options. I also tried disabling sha1 then dropbear is > sending sha2. I do not want to disable sha2 I want it to be the first one > used by dropbear. Is there any priority setting which is doing so? > > If you can build them with > > #define DEBUG_TRACE 1 > > in localoptions.h then running with "dropbear -v" and "dbclient -v" will give > some debug output, or a tcpdump/wireshark capture should show what's going on > too. > ROHINI >> I captured packets in wireshark and from there only I reached to > this conclusion. > > Cheers, > Matt > > > On Wed 10/4/2019, at 8:15 pm, Chahar, Rohini <rohini.cha...@netscout.com > <mailto:rohini.cha...@netscout.com>> wrote: > > Hi, > > I am experiencing a problem w.r.t dropbear 2018.76. I have the version > installed and it is working fine but when I try to do a copy from this to a > server that time dropbear is sending mac as hmac-sha1. However when I try to > do login via putty that time dropbear behaves as server and uses mac as > hmac-sha2-256. > In default file it is written that sha2 is default option but it is not > coming as default. My understanding was that dropbear sends sha2 as default > option and when server do not supports the mac it falls back to sha1. > Do I need to do some code changes or is this a known problem? Please help me > in resolving this issue. > > Regards, > Rohini
