Requirements for crypto deprecation?

Joseph Reynolds jrey at
Wed May 13 01:48:54 AEST 2020

Ping.  Does anyone have requirements for a BMC admin to be able to 
disable cryptographic algorithms that help provide transport layer 
security (TLS) for network traffic?  For example, if 
ECDHE-ECDSA-AES256-GCM-SHA384 was broken [1], do we need a way to 
disable it for HTTPS in operational BMCs?

Note: The list of supported algorithms is compiled into the BMC's 
firmware image [2][3] and cannot be changed by an admin or shell 
commands; it requires reconfiguration of the source code and a the BMC 
be updated with a new firmware image.

Is there interest in adding this function, knowing the fallback option 
is to update the firmware?

- Joseph

[1]: I am not saying or even hinting this is broken. ;-)
[3]: Similar compile-time config for dropbear SSH server.

More information about the openbmc mailing list