> On Aug 8, 2016, at 10:45 PM, Warner Losh wrote:
>
> On Mon, Aug 8, 2016 at 4:41 AM, Dag-Erling Smørgrav wrote:
>> Warner Losh writes:
>>> Andrey Chernov writes:
FreeBSD 11 is not released yet (betas are not counted), stable-10 too,
so it is right time to deprecate for them.
>>> Ni
On Mon, Aug 8, 2016 at 4:41 AM, Dag-Erling Smørgrav wrote:
> Warner Losh writes:
>> Andrey Chernov writes:
>> > FreeBSD 11 is not released yet (betas are not counted), stable-10 too,
>> > so it is right time to deprecate for them.
>> Nice try, but feature freeze was months ago. Have you got buy
On Mon, Aug 8, 2016 at 1:25 AM, Brooks Davis wrote:
> On Sun, Aug 07, 2016 at 03:48:44PM -0700, Xin Li wrote:
>>
>>
>> On 8/7/16 14:20, Warner Losh wrote:
>> >
>> >> On Aug 7, 2016, at 3:11 PM, Andrey Chernov wrote:
>> >>
>> >>> OTOH, FreeBSD has a documented deprecation process that says things
On 7 Aug 2016, at 7:40, Bruce Simpson wrote:
> On 07/08/16 11:58, Bruce Simpson wrote:
>> Is there a way to revert this change, at least on an ongoing
>> operational basis (e.g. configuration file) for those of us who
>> use FreeBSD to connect directly to such devices?
>
> I was able to override t
Warner Losh writes:
> Andrey Chernov writes:
> > FreeBSD 11 is not released yet (betas are not counted), stable-10 too,
> > so it is right time to deprecate for them.
> Nice try, but feature freeze was months ago. Have you got buy in from the
> security officer and the release engineer?
>
> I did
On Sun, Aug 07, 2016 at 03:48:44PM -0700, Xin Li wrote:
>
>
> On 8/7/16 14:20, Warner Losh wrote:
> >
> >> On Aug 7, 2016, at 3:11 PM, Andrey Chernov wrote:
> >>
> >>> OTOH, FreeBSD has a documented deprecation process that says things will
> >>> continue working for a major release after being
On Mon, Aug 08, 2016 at 11:40:55AM +0100, Bruce Simpson wrote:
> On 08/08/16 11:36, Dag-Erling Smørgrav wrote:
> > Bruce Simpson writes:
> > > Alcatel-Lucent OmniSwitch 6800 login broken
> ...
> > This patch did not remove weak DH groups. That happened in 7.0p1 back
> > in January.
>
> So my rea
On 08/08/16 11:36, Dag-Erling Smørgrav wrote:
Bruce Simpson writes:
Alcatel-Lucent OmniSwitch 6800 login broken
...
This patch did not remove weak DH groups. That happened in 7.0p1 back
in January.
So my reading of this is that PuTTy may be the best workaround for
end-users who have to sp
Bruce Simpson writes:
> Alcatel-Lucent OmniSwitch 6800 login broken (pfSense 2.3.2 which
> accepted the upstream change, workaround no-go)
>
> [2.3.2-RELEASE][r...@gw.lab]/root: ssh -l admin
> -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.XXX
> Fssh_ssh_dispatch_run_fatal: Connection to 19
Andrey Chernov writes:
> You should address your complains to original openssh author instead, it
> was his decision to get rid of weak algos. In my personal opinion, if
> your hardware is outdated, just drop it out. We can't turn our security
> team into compatibility team, by constantly restorin
On 08.08.2016 1:48, Xin Li wrote:
> Well, despite the fact that I have to admit that I get locked out from
> my own storage box too, however (even without wearing any hat) I am for
> the change and would blame myself for being lazy in adopting the change
> when the upstream have announced it earlie
On 08.08.2016 2:01, Andrey Chernov wrote:
> On 08.08.2016 1:48, Xin Li wrote:
>> Well, despite the fact that I have to admit that I get locked out from
>> my own storage box too, however (even without wearing any hat) I am for
>> the change and would blame myself for being lazy in adopting the chan
On 08.08.2016 0:28, Andrey Chernov wrote:
> On 08.08.2016 0:20, Warner Losh wrote:
>>
>>> On Aug 7, 2016, at 3:11 PM, Andrey Chernov wrote:
>>>
OTOH, FreeBSD has a documented deprecation process that says things will
continue working for a major release after being formally deprecated.
>
On 8/7/16 14:20, Warner Losh wrote:
>
>> On Aug 7, 2016, at 3:11 PM, Andrey Chernov wrote:
>>
>>> OTOH, FreeBSD has a documented deprecation process that says things will
>>> continue working for a major release after being formally deprecated.
>>
>> FreeBSD 11 is not released yet (betas are no
On 08.08.2016 0:20, Warner Losh wrote:
>
>> On Aug 7, 2016, at 3:11 PM, Andrey Chernov wrote:
>>
>>> OTOH, FreeBSD has a documented deprecation process that says things will
>>> continue working for a major release after being formally deprecated.
>>
>> FreeBSD 11 is not released yet (betas are n
> On Aug 7, 2016, at 3:11 PM, Andrey Chernov wrote:
>
>> OTOH, FreeBSD has a documented deprecation process that says things will
>> continue working for a major release after being formally deprecated.
>
> FreeBSD 11 is not released yet (betas are not counted), stable-10 too,
> so it is right
On 07.08.2016 23:40, Peter Jeremy wrote:
> On 2016-Aug-07 15:25:54 +0300, Andrey Chernov wrote:
>> You should address your complains to original openssh author instead, it
>> was his decision to get rid of weak algos.
>
> No. It's up to the person who imported the code into FreeBSD to understand
On 07.08.2016 22:56, Slawa Olhovchenkov wrote:
> On Sun, Aug 07, 2016 at 10:42:56PM +0300, Andrey Chernov wrote:
>
>> On 07.08.2016 22:10, Slawa Olhovchenkov wrote:
>>> On Sun, Aug 07, 2016 at 10:02:52PM +0300, Andrey Chernov wrote:
>>>
On 07.08.2016 21:52, Slawa Olhovchenkov wrote:
>> Wh
On 2016-Aug-07 15:25:54 +0300, Andrey Chernov wrote:
>You should address your complains to original openssh author instead, it
>was his decision to get rid of weak algos.
No. It's up to the person who imported the code into FreeBSD to understand
why the change was made and to be able to justify
On Sun, Aug 07, 2016 at 10:42:56PM +0300, Andrey Chernov wrote:
> On 07.08.2016 22:10, Slawa Olhovchenkov wrote:
> > On Sun, Aug 07, 2016 at 10:02:52PM +0300, Andrey Chernov wrote:
> >
> >> On 07.08.2016 21:52, Slawa Olhovchenkov wrote:
> Why you still not
> send your opinion to the aut
On 07.08.2016 22:10, Slawa Olhovchenkov wrote:
> On Sun, Aug 07, 2016 at 10:02:52PM +0300, Andrey Chernov wrote:
>
>> On 07.08.2016 21:52, Slawa Olhovchenkov wrote:
Why you still not
send your opinion to the author?
>>>
>>> I am not sure about suitable response from autor.
>>> May b
On Sun, Aug 07, 2016 at 10:02:52PM +0300, Andrey Chernov wrote:
> On 07.08.2016 21:52, Slawa Olhovchenkov wrote:
> >> Why you still not
> >> send your opinion to the author?
> >>
> >
> > I am not sure about suitable response from autor.
> > May be project [FreeBSD] choise some compromise.
>
> IM
On 07.08.2016 21:52, Slawa Olhovchenkov wrote:
>> Why you still not
>> send your opinion to the author?
>>
>
> I am not sure about suitable response from autor.
> May be project [FreeBSD] choise some compromise.
IMHO blindly choosing some compromise without asking author's opinion
first will be u
On Sun, Aug 07, 2016 at 09:34:51PM +0300, Andrey Chernov wrote:
> On 07.08.2016 21:23, Slawa Olhovchenkov wrote:
> > On Sun, Aug 07, 2016 at 09:06:37PM +0300, Andrey Chernov wrote:
> >
> >> On 07.08.2016 20:43, Andrey Chernov wrote:
> >>> On 07.08.2016 20:37, Slawa Olhovchenkov wrote:
> On S
On 07.08.2016 21:23, Slawa Olhovchenkov wrote:
> On Sun, Aug 07, 2016 at 09:06:37PM +0300, Andrey Chernov wrote:
>
>> On 07.08.2016 20:43, Andrey Chernov wrote:
>>> On 07.08.2016 20:37, Slawa Olhovchenkov wrote:
On Sun, Aug 07, 2016 at 08:34:55PM +0300, Andrey Chernov wrote:
> On 07.
On Sun, Aug 07, 2016 at 09:06:37PM +0300, Andrey Chernov wrote:
> On 07.08.2016 20:43, Andrey Chernov wrote:
> > On 07.08.2016 20:37, Slawa Olhovchenkov wrote:
> >> On Sun, Aug 07, 2016 at 08:34:55PM +0300, Andrey Chernov wrote:
> >>
> >>> On 07.08.2016 20:31, Andrey Chernov wrote:
> On 07.08
On 07.08.2016 20:43, Andrey Chernov wrote:
> On 07.08.2016 20:37, Slawa Olhovchenkov wrote:
>> On Sun, Aug 07, 2016 at 08:34:55PM +0300, Andrey Chernov wrote:
>>
>>> On 07.08.2016 20:31, Andrey Chernov wrote:
On 07.08.2016 19:14, Bruce Simpson wrote:
> On 07/08/16 15:40, Warner Losh wrote:
On 07.08.2016 20:37, Slawa Olhovchenkov wrote:
> On Sun, Aug 07, 2016 at 08:34:55PM +0300, Andrey Chernov wrote:
>
>> On 07.08.2016 20:31, Andrey Chernov wrote:
>>> On 07.08.2016 19:14, Bruce Simpson wrote:
On 07/08/16 15:40, Warner Losh wrote:
> That’s a cop-out answer. We, as a project,
On Sun, Aug 07, 2016 at 08:34:55PM +0300, Andrey Chernov wrote:
> On 07.08.2016 20:31, Andrey Chernov wrote:
> > On 07.08.2016 19:14, Bruce Simpson wrote:
> >> On 07/08/16 15:40, Warner Losh wrote:
> >>> That’s a cop-out answer. We, as a project, need to articulate to our
> >>> users, whom we care
On 07/08/16 18:34, Andrey Chernov wrote:
Alcatel-Lucent OmniSwitch 6800 login broken (pfSense 2.3.2 which
accepted the upstream change, workaround no-go)
[2.3.2-RELEASE][r...@gw.lab]/root: ssh -l admin
-oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.XXX
Fssh_ssh_dispatch_run_fatal: Connect
On 07.08.2016 19:14, Bruce Simpson wrote:
> On 07/08/16 15:40, Warner Losh wrote:
>> That’s a cop-out answer. We, as a project, need to articulate to our
>> users, whom we care about, why this rather obnoxious hit to usability
>> was taken. The answer must be more complete than “We just disabled
>>
On 07.08.2016 20:31, Andrey Chernov wrote:
> On 07.08.2016 19:14, Bruce Simpson wrote:
>> On 07/08/16 15:40, Warner Losh wrote:
>>> That’s a cop-out answer. We, as a project, need to articulate to our
>>> users, whom we care about, why this rather obnoxious hit to usability
>>> was taken. The answe
On 07.08.2016 20:31, Andrey Chernov wrote:
> On 07.08.2016 19:14, Bruce Simpson wrote:
>> On 07/08/16 15:40, Warner Losh wrote:
>>> That’s a cop-out answer. We, as a project, need to articulate to our
>>> users, whom we care about, why this rather obnoxious hit to usability
>>> was taken. The answe
On 07/08/16 15:40, Warner Losh wrote:
That’s a cop-out answer. We, as a project, need to articulate to our
users, whom we care about, why this rather obnoxious hit to usability
was taken. The answer must be more complete than “We just disabled
it because upstream disabled it for reasons we’re too
On 07.08.2016 17:40, Warner Losh wrote:
>
>> On Aug 7, 2016, at 7:21 AM, Andrey Chernov wrote:
>>>
We can't turn our security
team into compatibility team, by constantly restoring removed code, such
code quickly becomes outdated and may add new security holes even being
inacti
> On Aug 7, 2016, at 7:21 AM, Andrey Chernov wrote:
>>
>>> We can't turn our security
>>> team into compatibility team, by constantly restoring removed code, such
>>> code quickly becomes outdated and may add new security holes even being
>>> inactive.
>>
>> What is security hole by present thi
On 07.08.2016 15:52, Slawa Olhovchenkov wrote:
>> You should address your complains to original openssh author instead, it
>> was his decision to get rid of weak algos. In my personal opinion, if
>> your hardware is outdated, just drop it out.
>
> Hardware outdated by outdated main function, not b
On Sun, Aug 07, 2016 at 03:25:54PM +0300, Andrey Chernov wrote:
> On 07.08.2016 14:59, Bruce Simpson wrote:
> > On 07/08/16 12:43, Oliver Pinter wrote:
> >>> I was able to override this (somewhat unilateral, to my mind)
> >>> deprecation of the DH key exchange by using this option:
> >>> -oKexAlgo
2016-08-07 14:25 GMT+02:00 Andrey Chernov :
> You should address your complains to original openssh author instead, it
> was his decision to get rid of weak algos. In my personal opinion, if
> your hardware is outdated, just drop it out. We can't turn our security
> team into compatibility team, by
On 07.08.2016 14:59, Bruce Simpson wrote:
> On 07/08/16 12:43, Oliver Pinter wrote:
>>> I was able to override this (somewhat unilateral, to my mind)
>>> deprecation of the DH key exchange by using this option:
>>> -oKexAlgorithms=+diffie-hellman-group1-sha1
>>
>> You can add this option to /etc/ss
On 07/08/16 12:43, Oliver Pinter wrote:
I was able to override this (somewhat unilateral, to my mind)
deprecation of the DH key exchange by using this option:
-oKexAlgorithms=+diffie-hellman-group1-sha1
You can add this option to /etc/ssh/ssh.conf or ~/.ssh/config too.
Can this at least be ad
On 8/7/16, Bruce Simpson wrote:
> On 07/08/16 11:58, Bruce Simpson wrote:
>> Is there a way to revert this change, at least on an ongoing operational
>> basis (e.g. configuration file) for those of us who use FreeBSD to
>> connect directly to such devices?
>
> I was able to override this (somewhat
On 07/08/16 11:58, Bruce Simpson wrote:
Is there a way to revert this change, at least on an ongoing operational
basis (e.g. configuration file) for those of us who use FreeBSD to
connect directly to such devices?
I was able to override this (somewhat unilateral, to my mind)
deprecation of the
DES,
I believe this breaks logging into various embedded network devices,
unfortunately. E.g. the Netonix WISP Switch, which uses an embedded
Linux variant with dropbear 0.51. It is expecting to use DSA not RSA for
the key exchange.g
Is there a way to revert this change, at least on an ongoi
On Wed, Aug 03, 2016 at 04:08:22PM +, Dag-Erling Smørgrav wrote:
> Author: des
> Date: Wed Aug 3 16:08:21 2016
> New Revision: 303716
> URL: https://svnweb.freebsd.org/changeset/base/303716
>
> Log:
> Remove DSA from default cipher list and disable SSH1.
>
> Upstream did this a long ti
Benjamin Kaduk writes:
> Which branch(es) are MFC targets?
It will be merged to stable/11 before the release and documented in the
release notes.
> (Does POLA no longer apply to them?)
Things change over time. Such is the nature of software (and of life).
POLA does not mean we don't change any
On Wed, Aug 3, 2016 at 11:08 AM, Dag-Erling Smørgrav
wrote:
> Author: des
> Date: Wed Aug 3 16:08:21 2016
> New Revision: 303716
> URL: https://svnweb.freebsd.org/changeset/base/303716
>
> Log:
> Remove DSA from default cipher list and disable SSH1.
>
> Upstream did this a long time ago, but
Author: des
Date: Wed Aug 3 16:08:21 2016
New Revision: 303716
URL: https://svnweb.freebsd.org/changeset/base/303716
Log:
Remove DSA from default cipher list and disable SSH1.
Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for
reasons which boil down to POLA. Now
48 matches
Mail list logo