#1
|
||||
|
||||
vshelld_config Ciphers
We have a trading partner which is stipulating that we disable AES128. We believe that we will be able to do that by adding the following line to /usr/local/etc/vshelld_config:
Ciphers { aes192-ctr,aes256-ctr,aes192-cbc,aes256-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour } Our questions are: 1. Will this change completely disable EAS128? 2. Will we be able to issue /etc/init.d/vshell reload to make the change take effect? 3. Are all of the ciphers listed supported? (We got the list from the man page...) 4. Are all of the listed ciphers secure, or are there some which should not be on the list? 5. Are there any additional ciphers which should be added to the list? Thank you. Chuck |
#2
|
||||||
|
||||||
Quote:
AES-*-CBC ciphers are considered to be weaker than the *CTR counterparts, but I'm unaware of AES-128-CTR being so weak that it would be banned/avoided. If the suggestion of your trading partner is to disable AES-128 (either variant), you'd certainly want to avoid 3DES and RC4 for sure since they're considered to be weaker. Quote:
You can test your configuration once you've reloaded the config by using the vsh command line utility that ships with VShell. For example: Code:
$ vsh -v localhost ... [LOCAL] : Available Remote Send Ciphers = chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,twofish-cbc,blowfish-cbc [LOCAL] : Selected Send Cipher = aes256-ctr [LOCAL] : Available Remote Recv Ciphers = chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,twofish-cbc,blowfish-cbc [LOCAL] : Selected Recv Cipher = aes256-ctr ... Quote:
Quote:
Code:
Cipher Name Config String -------------------------------------------------- AES-128-CTR aes128-ctr AES-192-CTR aes192-ctr AES-256-CTR aes256-ctr AES-128 aes128-cbc AES-192 aes192-cbc AES-256 aes256-cbc ChaCha20-Poly1305 chacha20-poly1305@openssh.com Twofish twofish-cbc Blowfish blowfish-cbc 3DES 3des-cbc RC4 arcfour Quote:
If security is of the utmost concern (compatibility and performance/speed as a "zero" concern), you would disable all but the strongest ciphers, but if you need to be compatible with a wide variety of old/new clients, disabling older/weaker ciphers may not be a good idea since those clients may no longer be able to successfully connect. 3DES/3des and RC4/arcfour are probably the weakest ciphers in the list. For the AES-* ciphers, the CBC ciphers are generally considered weaker than their CTR counterparts; the cbc ciphers don't have "cbc" as part of their name. The CTR ciphers have '-ctr' as part of their name. Some consider the ChaCha20-Poly1305 to be the most secure cipher of those that VShell currently supports. Quote:
--Jake
__________________
Jake Devenport VanDyke Software Technical Support YouTube Channel: https://www.youtube.com/vandykesoftware Email: support@vandyke.com Web: https://www.vandyke.com/support |
#3
|
||||
|
||||
vshelld_config Ciphers
We are checking with our trading partner on their stance regarding AES128-CTR.
Our VShell server appears to be running version 4.2.2: vsh version 7.5.0 (build 1121) starting. (Using SSH2Core version 7.5.0.1121.) [LOCAL] : SSH2Core version 7.5.0.1121 [LOCAL] : Connecting to localhost:22 ... [LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT [LOCAL] : Using protocol SSH2 [LOCAL] : RECV : Remote Identifier = 'SSH-2.0-VShell_4_2_2_1121 VShell' |
#4
|
||||
|
||||
VShell version 4.2. supports the following ciphers (from man vshelld_config): Code:
Name String ---------------------------- AES-128-CTR aes128-ctr AES-192-CTR aes192-ctr AES-256-CTR aes256-ctr AES-128 aes128-cbc AES-192 aes192-cbc AES-256 aes256-cbc Twofish twofish-cbc Blowfish blowfish-cbc 3DES 3des-cbc RC4 arcfour
__________________
Jake Devenport VanDyke Software Technical Support YouTube Channel: https://www.youtube.com/vandykesoftware Email: support@vandyke.com Web: https://www.vandyke.com/support |
![]() |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Display Modes | |
|
|