Re: Dropbear 2018.76 when behaving as client sending sha1 as mac
Dropbear has sha1 as the first on its priority list. You can change the order of the options in common-algo.c https://secure.ucc.asn.au/hg/dropbear/file/tip/common-algo.c#l185 I'll change it so that sha1 has lower priority for a future release. Currently I don't think there is any security problem with sha1 as a hmac? Cheers, Matt > On Thu 11/4/2019, at 12:11 pm, Chahar, Rohini > wrote: > > Hi Matt, > > Please find my responses below. > > Regards, > Rohini > > From: Matt Johnston mailto:m...@ucc.asn.au>> > Sent: 10 April 2019 18:39 > To: Chahar, Rohini <mailto:rohini.cha...@netscout.com>> > Cc: dropbear@ucc.asn.au <mailto:dropbear@ucc.asn.au> > Subject: Re: Dropbear 2018.76 when behaving as client sending sha1 as mac > > [EXTERNAL EMAIL] > Hi Rohini, > > I'm not entirely clear about the problem - is the conneciton failing or is it > just selecting hmac-sha2-sha1 which you don't want? > ROHINI >> Dropbear is selecting sha1 and sha2 on its own. My understanding > was first sha2 is tried and when the server do not supports it them dropbear > move to sha1 but it is not happening. When sending request to server it is > sending sha1 only. In default_options.h file comment also says “/* Message > integrity. sha2-256 is recommended as a default, sha1 for compatibility */” > > The algorithm chosen will be the first one in the client's list that is also > in the server's list. When you do the "copy to the server" is it dropbear as > a client that is sending hmac-sha1? Was that compiled with sha2 enabled in > the options? > ROHINI >> Yes when I am doing copy to server dropbear is selecting sha1. Yes > sha2 is enabled in options. I also tried disabling sha1 then dropbear is > sending sha2. I do not want to disable sha2 I want it to be the first one > used by dropbear. Is there any priority setting which is doing so? > > If you can build them with > > #define DEBUG_TRACE 1 > > in localoptions.h then running with "dropbear -v" and "dbclient -v" will give > some debug output, or a tcpdump/wireshark capture should show what's going on > too. > ROHINI >> I captured packets in wireshark and from there only I reached to > this conclusion. > > Cheers, > Matt > > > On Wed 10/4/2019, at 8:15 pm, Chahar, Rohini <mailto:rohini.cha...@netscout.com>> wrote: > > Hi, > > I am experiencing a problem w.r.t dropbear 2018.76. I have the version > installed and it is working fine but when I try to do a copy from this to a > server that time dropbear is sending mac as hmac-sha1. However when I try to > do login via putty that time dropbear behaves as server and uses mac as > hmac-sha2-256. > In default file it is written that sha2 is default option but it is not > coming as default. My understanding was that dropbear sends sha2 as default > option and when server do not supports the mac it falls back to sha1. > Do I need to do some code changes or is this a known problem? Please help me > in resolving this issue. > > Regards, > Rohini
RE: Dropbear 2018.76 when behaving as client sending sha1 as mac
Hi Matt, Please find my responses below. Regards, Rohini From: Matt Johnston Sent: 10 April 2019 18:39 To: Chahar, Rohini Cc: dropbear@ucc.asn.au Subject: Re: Dropbear 2018.76 when behaving as client sending sha1 as mac [EXTERNAL EMAIL] Hi Rohini, I'm not entirely clear about the problem - is the conneciton failing or is it just selecting hmac-sha2-sha1 which you don't want? ROHINI >> Dropbear is selecting sha1 and sha2 on its own. My understanding was first sha2 is tried and when the server do not supports it them dropbear move to sha1 but it is not happening. When sending request to server it is sending sha1 only. In default_options.h file comment also says "/* Message integrity. sha2-256 is recommended as a default, sha1 for compatibility */" The algorithm chosen will be the first one in the client's list that is also in the server's list. When you do the "copy to the server" is it dropbear as a client that is sending hmac-sha1? Was that compiled with sha2 enabled in the options? ROHINI >> Yes when I am doing copy to server dropbear is selecting sha1. Yes sha2 is enabled in options. I also tried disabling sha1 then dropbear is sending sha2. I do not want to disable sha2 I want it to be the first one used by dropbear. Is there any priority setting which is doing so? If you can build them with #define DEBUG_TRACE 1 in localoptions.h then running with "dropbear -v" and "dbclient -v" will give some debug output, or a tcpdump/wireshark capture should show what's going on too. ROHINI >> I captured packets in wireshark and from there only I reached to this conclusion. Cheers, Matt On Wed 10/4/2019, at 8:15 pm, Chahar, Rohini mailto:rohini.cha...@netscout.com>> wrote: Hi, I am experiencing a problem w.r.t dropbear 2018.76. I have the version installed and it is working fine but when I try to do a copy from this to a server that time dropbear is sending mac as hmac-sha1. However when I try to do login via putty that time dropbear behaves as server and uses mac as hmac-sha2-256. In default file it is written that sha2 is default option but it is not coming as default. My understanding was that dropbear sends sha2 as default option and when server do not supports the mac it falls back to sha1. Do I need to do some code changes or is this a known problem? Please help me in resolving this issue. Regards, Rohini
Re: Dropbear 2018.76 when behaving as client sending sha1 as mac
Hi Rohini, I'm not entirely clear about the problem - is the conneciton failing or is it just selecting hmac-sha2-sha1 which you don't want? The algorithm chosen will be the first one in the client's list that is also in the server's list. When you do the "copy to the server" is it dropbear as a client that is sending hmac-sha1? Was that compiled with sha2 enabled in the options? If you can build them with #define DEBUG_TRACE 1 in localoptions.h then running with "dropbear -v" and "dbclient -v" will give some debug output, or a tcpdump/wireshark capture should show what's going on too. Cheers, Matt > On Wed 10/4/2019, at 8:15 pm, Chahar, Rohini > wrote: > > Hi, > > I am experiencing a problem w.r.t dropbear 2018.76. I have the version > installed and it is working fine but when I try to do a copy from this to a > server that time dropbear is sending mac as hmac-sha1. However when I try to > do login via putty that time dropbear behaves as server and uses mac as > hmac-sha2-256. > In default file it is written that sha2 is default option but it is not > coming as default. My understanding was that dropbear sends sha2 as default > option and when server do not supports the mac it falls back to sha1. > Do I need to do some code changes or is this a known problem? Please help me > in resolving this issue. > > Regards, > Rohini
Dropbear 2018.76 when behaving as client sending sha1 as mac
Hi, I am experiencing a problem w.r.t dropbear 2018.76. I have the version installed and it is working fine but when I try to do a copy from this to a server that time dropbear is sending mac as hmac-sha1. However when I try to do login via putty that time dropbear behaves as server and uses mac as hmac-sha2-256. In default file it is written that sha2 is default option but it is not coming as default. My understanding was that dropbear sends sha2 as default option and when server do not supports the mac it falls back to sha1. Do I need to do some code changes or is this a known problem? Please help me in resolving this issue. Regards, Rohini
