<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Dropbear has sha1 as the first on its priority list. You can change the order of the options in common-algo.c <div class=""><a href="https://secure.ucc.asn.au/hg/dropbear/file/tip/common-algo.c#l185" class="">https://secure.ucc.asn.au/hg/dropbear/file/tip/common-algo.c#l185</a></div><div class=""><br class=""></div><div class="">I'll change it so that sha1 has lower priority for a future release.</div><div class="">Currently I don't think there is any security problem with sha1 as a hmac?</div><div class=""><br class=""></div><div class="">Cheers,</div><div class="">Matt<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Thu 11/4/2019, at 12:11 pm, Chahar, Rohini <<a href="mailto:Rohini.Chahar@netscout.com" class="">Rohini.Chahar@netscout.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="WordSection1" style="page: WordSection1; caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span class="">Hi Matt,<o:p class=""></o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span class=""><o:p class=""> </o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span class="">Please find my responses below.<o:p class=""></o:p></span></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Regards,<o:p class=""></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Rohini<o:p class=""></o:p></div></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span class=""><o:p class=""> </o:p></span></div><div class=""><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(225, 225, 225); padding: 3pt 0cm 0cm;" class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><b class=""><span lang="EN-US" class="">From:</span></b><span lang="EN-US" class=""><span class="Apple-converted-space"> </span>Matt Johnston <<a href="mailto:matt@ucc.asn.au" style="color: purple; text-decoration: underline;" class="">matt@ucc.asn.au</a>><span class="Apple-converted-space"> </span><br class=""><b class="">Sent:</b><span class="Apple-converted-space"> </span>10 April 2019 18:39<br class=""><b class="">To:</b><span class="Apple-converted-space"> </span>Chahar, Rohini <<a href="mailto:Rohini.Chahar@netscout.com" style="color: purple; text-decoration: underline;" class="">Rohini.Chahar@netscout.com</a>><br class=""><b class="">Cc:</b><span class="Apple-converted-space"> </span><a href="mailto:dropbear@ucc.asn.au" style="color: purple; text-decoration: underline;" class="">dropbear@ucc.asn.au</a><br class=""><b class="">Subject:</b><span class="Apple-converted-space"> </span>Re: Dropbear 2018.76 when behaving as client sending sha1 as mac<o:p class=""></o:p></span></div></div></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; text-align: center;" class=""><span style="font-size: 10pt; color: red;" class="">[EXTERNAL EMAIL]</span><o:p class=""></o:p></div></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Hi Rohini,<o:p class=""></o:p></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">I'm not entirely clear about the problem - is the conneciton failing or is it just selecting hmac-sha2-sha1 which you don't want?<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="color: rgb(132, 60, 12);" class="">ROHINI >> Dropbear is selecting sha1 and sha2 on its own. My understanding was first sha2 is tried and when the server do not supports it them dropbear move to sha1 but it is not happening. When sending request to server it is sending sha1 only. In default_options.h file comment also says “/* Message integrity. sha2-256 is recommended as a default, sha1 for compatibility */”<o:p class=""></o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">The algorithm chosen will be the first one in the client's list that is also in the server's list. When you do the "copy to the server" is it dropbear as a client that is sending hmac-sha1? Was that compiled with sha2 enabled in the options?<o:p class=""></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="color: rgb(132, 60, 12);" class="">ROHINI >> Yes when I am doing copy to server dropbear is selecting sha1. Yes sha2 is enabled in options. I also tried disabling sha1 then dropbear is sending sha2. I do not want to disable sha2 I want it to be the first one used by dropbear. Is there any priority setting which is doing so?<o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">If you can build them with <o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">#define DEBUG_TRACE 1<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">in localoptions.h then running with "dropbear -v" and "dbclient -v" will give some debug output, or a tcpdump/wireshark capture should show what's going on too.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="color: rgb(132, 60, 12);" class="">ROHINI >> I captured packets in wireshark and from there only I reached to this conclusion.<o:p class=""></o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Cheers,<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Matt<o:p class=""></o:p></div></div><div class=""><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><br class=""><br class=""><o:p class=""></o:p></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class=""><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">On Wed 10/4/2019, at 8:15 pm, Chahar, Rohini <<a href="mailto:Rohini.Chahar@netscout.com" style="color: purple; text-decoration: underline;" class="">Rohini.Chahar@netscout.com</a>> wrote:<o:p class=""></o:p></div></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div class=""><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Hi,<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> <o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">I am experiencing a problem w.r.t dropbear 2018.76. I have the version installed and it is working fine but when I try to do a copy from this to a server that time dropbear is sending mac as hmac-sha1. However when I try to do login via putty that time dropbear behaves as server and uses mac as hmac-sha2-256.<span class="apple-converted-space"> </span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">In default file it is written that sha2 is default option but it is not coming as default. My understanding was that dropbear sends sha2 as default option and when server do not supports the mac it falls back to sha1.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Do I need to do some code changes or is this a known problem? Please help me in resolving this issue.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> <o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Regards,<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Rohini</div></div></div></blockquote></div></div></div></div></blockquote></div><br class=""></div></body></html>