- (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have
the required OpenSSL support. Patch from naddy at freebsd.
diff --git a/ChangeLog b/ChangeLog
index f5e2df0..fd88e09 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+20130610
+ - (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have
+ the required OpenSSL support. Patch from naddy at freebsd.
+
20130516
- (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be
executed if mktemp failed; bz#2105 ok dtucker@
diff --git a/myproposal.h b/myproposal.h
index 99d0934..05b17db 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -45,6 +45,13 @@
# define HOSTKEY_ECDSA_METHODS
#endif
+#ifdef OPENSSL_HAVE_EVPGCM
+# define AESGCM_CIPHER_MODES \
+ "aes128-gcm@openssh.com,aes256-gcm@openssh.com,"
+#else
+# define AESGCM_CIPHER_MODES
+#endif
+
/* Old OpenSSL doesn't support what we need for DHGEX-sha256 */
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
# define KEX_SHA256_METHODS \
@@ -73,7 +80,7 @@
#define KEX_DEFAULT_ENCRYPT \
"aes128-ctr,aes192-ctr,aes256-ctr," \
"arcfour256,arcfour128," \
- "aes128-gcm@openssh.com,aes256-gcm@openssh.com," \
+ AESGCM_CIPHER_MODES \
"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
"aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
#ifdef HAVE_EVP_SHA256
