]> git.ipfire.org Git - ipfire-2.x.git/commit
projects / ipfire-2.x.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 64e39a2) | patch
OpenSSH: Prefer AES-GCM ciphers over AES-CTR
authorPeter Müller <peter.mueller@ipfire.org>
Sun, 28 Sep 2025 21:05:00 +0000 (21:05 +0000)
committerMichael Tremer <michael.tremer@ipfire.org>
Tue, 30 Sep 2025 08:55:53 +0000 (08:55 +0000)
commit98f14a3863aa34b492c8f2d984895f5d837260cd
treed1a4e32cee418687ab0951253126fa763cf95de1tree | snapshot
parent64e39a2b970010d454dfb2069954b89cd498a05acommit | diff
OpenSSH: Prefer AES-GCM ciphers over AES-CTR

This reflects the following change made upstream in OpenSSH 9.9:

 * ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher
   for the connection. The default cipher preference list is now
   Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR
   (128/192/256).

However, we keep preferring AES-GCM over Chacha/Poly, as hardware
acceleration often grants the former a better performance, while there
is no security advance of Chacha/Poly usage over 256 bit AES-GCM.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
config/ssh/ssh_config diff | blob | blame | history
config/ssh/sshd_config diff | blob | blame | history
IPFire 2.x development tree