Dropbear 2018.76 when behaving as client sending sha1 as mac

Chahar, Rohini Rohini.Chahar at netscout.com
Thu Apr 11 12:11:52 AWST 2019 

Hi Matt,

Please find my responses below.

Regards,
Rohini

From: Matt Johnston <matt at ucc.asn.au>
Sent: 10 April 2019 18:39
To: Chahar, Rohini <Rohini.Chahar at netscout.com>
Cc: dropbear at ucc.asn.au
Subject: Re: Dropbear 2018.76 when behaving as client sending sha1 as mac

[EXTERNAL EMAIL]
Hi Rohini,

I'm not entirely clear about the problem - is the conneciton failing or is it just selecting hmac-sha2-sha1 which you don't want?
ROHINI >> Dropbear is selecting sha1 and sha2 on its own. My understanding was first sha2 is tried and when the server do not supports it them dropbear move to sha1 but it is not happening. When sending request to server it is sending sha1 only. In default_options.h file comment also says "/* Message integrity. sha2-256 is recommended as a default, sha1 for compatibility */"

The algorithm chosen will be the first one in the client's list that is also in the server's list. When you do the "copy to the server" is it dropbear as a client that is sending hmac-sha1? Was that compiled with sha2 enabled in the options?
ROHINI >> Yes when I am doing copy to server dropbear is selecting sha1. Yes sha2 is enabled in options. I also tried disabling sha1 then dropbear is sending sha2. I do not want to disable sha2 I want it to be the first one used by dropbear. Is there any priority setting which is doing so?

If you can build them with

#define DEBUG_TRACE 1

in localoptions.h then running with "dropbear -v" and "dbclient -v" will give some debug output, or a tcpdump/wireshark capture should show what's going on too.
ROHINI >> I captured packets in wireshark and from there only I reached to this conclusion.

Cheers,
Matt


On Wed 10/4/2019, at 8:15 pm, Chahar, Rohini <Rohini.Chahar at netscout.com<mailto:Rohini.Chahar at netscout.com>> wrote:

Hi,

I am experiencing a problem w.r.t dropbear 2018.76. I have the version installed and it is working fine but when I try to do a copy from this to a server that time dropbear is sending mac as hmac-sha1. However when I try to do login via putty that time dropbear behaves as server and uses mac as hmac-sha2-256.
In default file it is written that sha2 is default option but it is not coming as default. My understanding was that dropbear sends sha2 as default option and when server do not supports the mac it falls back to sha1.
Do I need to do some code changes or is this a known problem? Please help me in resolving this issue.

Regards,
Rohini

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20190411/3b524bc6/attachment.htm

More information about the Dropbear mailing list