From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <development+bounces-1100-archive=lists.ipfire.org@lists.ipfire.org>
Received: from mail02.haj.ipfire.org (localhost [IPv6:::1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cZcKw29N6z2xSN
	for <archive@lists.ipfire.org>; Sun, 28 Sep 2025 21:05:40 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cZcKr6kHmz2xP7
	for <development@lists.ipfire.org>; Sun, 28 Sep 2025 21:05:36 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4cZcKn2r6Hz3X8
	for <development@lists.ipfire.org>; Sun, 28 Sep 2025 21:05:33 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1759093534;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=X/0pFEr+sGtcvge2NBePhBB50ShBGdKgQR5DnPUt/vA=;
	b=IsryebmKVySUYmrsz6kU5XlPKCb3hxDpio9E1KMi5J2/DYExdVKb4UusCQuOv9YtuTKpCx
	R3ewNvIcVI8/LkCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa;
	t=1759093534;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=X/0pFEr+sGtcvge2NBePhBB50ShBGdKgQR5DnPUt/vA=;
	b=k1cYbSpJVaViUnbqJzgQn6qWQ3Mga9DqEWDyC4eMa3Jl8qgkiJ/ZhZVFOqeeyTPS/xzTDe
	+jnkotHpuonwZ4igpLEyW743AmnAKQfeZhjWQZtPsVgDeDeO0sNGdI0Int2ZQyiIVWW8X2
	A4jxjRXq+053ujqWhbpoZ+6g+XhnvL0/a2YsVCTjuwx1KF7M63ZGkF17p6CvoGQLVEktsW
	Wd6kDqROloM8O2ShQToIGB6YQBsCeGaJl6quyqgi/kgtHLOydsOA7I+tGYY7EEXQskxnwG
	+CgOPAqeBoH5gEKJLW16YU6eGQXBPjeNBq3wkNaUOYRbu04ss82ZYBFE/3HJww==
Message-ID: <5d3b4fdd-fe49-4997-b00c-c2fd723f0e4a@ipfire.org>
Date: Sun, 28 Sep 2025 21:05:00 +0000
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0
To: "IPFire: Development" <development@lists.ipfire.org>
From: =?UTF-8?Q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Subject: [PATCH 1/3] OpenSSH: Prefer AES-GCM ciphers over AES-CTR
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This reflects the following change made upstream in OpenSSH 9.9:

 * ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher
   for the connection. The default cipher preference list is now
   Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR
   (128/192/256).

However, we keep preferring AES-GCM over Chacha/Poly, as hardware
acceleration often grants the former a better performance, while there
is no security advance of Chacha/Poly usage over 256 bit AES-GCM.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/ssh/ssh_config  | 2 +-
 config/ssh/sshd_config | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
index d5f63f315..a248001ff 100644
--- a/config/ssh/ssh_config
+++ b/config/ssh/ssh_config
@@ -10,7 +10,7 @@ Host *
 
         # Only use secure crypto algorithms
         KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-        Ciphers aes256-gcm@openssh.com,aes256-ctr,chacha20-poly1305@openssh.com,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr
+        Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
         MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
 
         # Always visualise server host keys (helps to identify key based MITM attacks)
diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
index 7b687457c..25e5b1838 100644
--- a/config/ssh/sshd_config
+++ b/config/ssh/sshd_config
@@ -21,7 +21,7 @@ MaxStartups 5
 
 # Only allow safe crypto algorithms
 KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-Ciphers aes256-gcm@openssh.com,aes256-ctr,chacha20-poly1305@openssh.com,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr
+Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
 
 # Only allow cryptographically safe SSH host keys (adjust paths if needed)
-- 
2.51.0