#112 Default lanplus ciphersuite is now 0 instead of 3


Introduced in 1.8.12, the default ciphersuite is now 0 (none) instead of 3 (RAKP-HMAC-SHA1/HMAC-SHA1-96/AES-CBC-128). The manpage still states the default is 3. I would recommend changing the default back to 3 (to make the previous versions and the manpage). Without this change, one wanting/needing to use the predominant ciphersuite has to specify the '-C 3' command-line option.


  • Jim Mankovich

    Jim Mankovich - 2012-09-25

    In looking at the current default for ciphersuite (cipher_suite_id in ipmi_main.c), I see the default as 1 and not 0. You are correct that the default was changed from 3 after 1.8.11 was released (in April of 2010). The submit comment doesn't provide enough info to understand why the change was made. "Changed default cipher suite to 1 instead of 3 for iol20". I personally don't have any problem with changing it back to 3, but I wonder if there was a good reason to change it from 3 to 1.

    Why do you believe the current default in 1.8.12 is 0?

  • Rob Swindell

    Rob Swindell - 2012-09-25

    I noticed that ipmitool 1.8.12 was attempting to use an integrity algorithm of "none", so I assumed the default ciphersuite had been changed to 0. Apparently ciphersuite 1 specifies aan integrity algorithm of "none", so you're right, the default could be 1 or 0 (or 6) - as shown in Table 22-19 of the IPMI spec. The previous default of 3 (reflected in the manpage) makes the most sense however since that is what is required by the DCMI specification and is the theoretically "most secure" combination of algorithms specified in the IPMI spec.

    Plus, I don't think changing the default to a *less* secure ciphersuite would ever be a good idea.


  • Ales Ledvinka

    Ales Ledvinka - 2012-11-20

    sorry for the duplicate 3588727 (the simple patch there)

    searched for the explanation of the "iol20" from the original commit comment.
    first thinking of some crypto law but found many results matching low power consumption of embedded devices. but still it's not 100% match. got no info yet from the change author.
    if it's low power related then there it should be worth to make a non-trivial change for the defaults per ipmi command since the sol and write operations are most likely going to fail for most users while the read opeartions might be mostly ok with cipher suite 1

  • Zdenek Styblik

    Zdenek Styblik - 2013-03-09
    • milestone: --> version-1.8.12
  • Jim Mankovich

    Jim Mankovich - 2013-03-11
    • assigned_to: nobody --> jmank
  • Zdenek Styblik

    Zdenek Styblik - 2013-03-11
    • status: open --> closed-fixed
  • Zdenek Styblik

    Zdenek Styblik - 2013-03-11

    Code has been reverted, resp. back to default auth 3.


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks