From c081f3e234153554d4b1e28546b2b42df9a7cb03 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Sat, 16 Mar 2019 11:01:30 +0000
Subject: [PATCH] Reorganise the default cipher preference order.

After all the side-channel removal work I've done, I'm demoting
Blowfish and Arcfour right to the bottom of the pile, because they're
the ciphers that still have cache and timing leaks in them. (Neither
one can be sanitised without making it _extremely_ slow - the factor
of 4.5 slowdown in DES would be small by comparison).

Single-DES is also still below the warning threshold for simply being
too weak (irrespective of side channels), but it's above the other two.
---
 settings.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/settings.c b/settings.c
index 59c7e8a5..8d563026 100644
--- a/settings.c
+++ b/settings.c
@@ -17,11 +17,11 @@
 static const struct keyvalwhere ciphernames[] = {
     { "aes",        CIPHER_AES,             -1, -1 },
     { "chacha20",   CIPHER_CHACHA20,        CIPHER_AES, +1 },
-    { "blowfish",   CIPHER_BLOWFISH,        -1, -1 },
     { "3des",       CIPHER_3DES,            -1, -1 },
     { "WARN",       CIPHER_WARN,            -1, -1 },
+    { "des",        CIPHER_DES,             -1, -1 },
+    { "blowfish",   CIPHER_BLOWFISH,        -1, -1 },
     { "arcfour",    CIPHER_ARCFOUR,         -1, -1 },
-    { "des",        CIPHER_DES,             -1, -1 }
 };
 
 /* The default order here is sometimes overridden by the backward-