--- a/components/openssh/patches/045-remove_unacceptable_algs.patch	Mon Feb 06 13:54:36 2017 -0800
+++ b/components/openssh/patches/045-remove_unacceptable_algs.patch	Mon Feb 06 22:51:03 2017 -0800
@@ -8,6 +8,10 @@
 # Disabling arcfour used to be implemented by Solaris specific macro
 # WITHOUT_ARCFOUR, but now upstream OPENSSL_NO_RC4 is used instead.
 #
+# Update Jan 4, 2017:
+# We used to disable 3des-cbc on the client, but now upstream does that too and
+# we no longer have to.
+#
 # Patch source: in-house
 #
 diff -pur old/mac.c new/mac.c
@@ -21,10 +25,10 @@
  	{ "hmac-md5",				SSH_DIGEST, SSH_DIGEST_MD5, 0, 0, 0, 0 },
  	{ "hmac-md5-96",			SSH_DIGEST, SSH_DIGEST_MD5, 96, 0, 0, 0 },
 +#endif
+ #ifdef HAVE_EVP_RIPEMD160
  	{ "hmac-ripemd160",			SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 0 },
  	{ "[email protected]",		SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 0 },
- 	{ "[email protected]",		SSH_UMAC, 0, 0, 128, 64, 0 },
-@@ -101,8 +103,10 @@ static const struct macalg macs[] = {
+@@ -103,8 +105,10 @@ static const struct macalg macs[] = {
  	{ "[email protected]",	SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 },
  	{ "[email protected]",	SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 },
  #endif
@@ -32,59 +36,27 @@
  	{ "[email protected]",		SSH_DIGEST, SSH_DIGEST_MD5, 0, 0, 0, 1 },
  	{ "[email protected]",	SSH_DIGEST, SSH_DIGEST_MD5, 96, 0, 0, 1 },
 +#endif
+ #ifdef HAVE_EVP_RIPEMD160
  	{ "[email protected]",	SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 1 },
- 	{ "[email protected]",		SSH_UMAC, 0, 0, 128, 64, 1 },
- 	{ "[email protected]",		SSH_UMAC128, 0, 0, 128, 128, 1 },
-diff -pur old/myproposal.h new/myproposal.h
---- old/myproposal.h
-+++ new/myproposal.h
-@@ -140,14 +140,14 @@
- 	AESGCM_CIPHER_MODES
- 
- #define KEX_CLIENT_ENCRYPT_DFLT KEX_SERVER_ENCRYPT_DFLT "," \
--	"aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc"
-+	"aes128-cbc,aes192-cbc,aes256-cbc"
- 
- #define KEX_SERVER_ENCRYPT_FIPS \
- 	"aes128-ctr,aes192-ctr,aes256-ctr" \
- 	AESGCM_CIPHER_MODES
- 
- #define KEX_CLIENT_ENCRYPT_FIPS KEX_SERVER_ENCRYPT_FIPS "," \
--	"aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc"
-+	"aes128-cbc,aes192-cbc,aes256-cbc"
- 
- #define KEX_SERVER_MAC_DFLT \
- 	"[email protected]," \
+ #endif
 diff -pur old/ssh_config.5 new/ssh_config.5
 --- old/ssh_config.5
 +++ new/ssh_config.5
-@@ -470,12 +470,6 @@ [email protected]
- .It
+@@ -427,9 +427,6 @@ aes192-ctr
+ aes256-ctr
+ [email protected]
  [email protected]
- .It
 -arcfour
--.It
 -arcfour128
--.It
 -arcfour256
--.It
  blowfish-cbc
- .It
  [email protected]
-@@ -486,7 +480,7 @@ The default is:
- [email protected],
- aes128-ctr,aes192-ctr,aes256-ctr,
- [email protected],[email protected],
--aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
-+aes128-cbc,aes192-cbc,aes256-cbc
  .Ed
- .Pp
- The following ciphers are FIPS-140 approved and are supported in FIPS-140 mode:
 diff -pur old/sshd.8 new/sshd.8
 --- old/sshd.8
 +++ new/sshd.8
-@@ -310,12 +310,12 @@ For protocol 2,
- forward security is provided through a Diffie-Hellman key agreement.
+@@ -258,12 +258,12 @@ host key against its own database to ver
+ Forward security is provided through a Diffie-Hellman key agreement.
  This key agreement results in a shared session key.
  The rest of the session is encrypted using a symmetric cipher, currently
 -128-bit AES, Blowfish, 3DES, Arcfour, 192-bit AES, or 256-bit AES.
@@ -101,7 +73,7 @@
 diff -pur old/sshd_config.5 new/sshd_config.5
 --- old/sshd_config.5
 +++ new/sshd_config.5
-@@ -471,12 +471,6 @@ [email protected]
+@@ -460,12 +460,6 @@ [email protected]
  .It
  [email protected]
  .It
@@ -114,7 +86,7 @@
  blowfish-cbc
  .It
  [email protected]
-@@ -1009,10 +1003,6 @@ The supported MACs are:
+@@ -981,10 +975,6 @@ The supported MACs are:
  .Pp
  .Bl -item -compact -offset indent
  .It
@@ -125,7 +97,7 @@
  hmac-ripemd160
  .It
  hmac-sha1
-@@ -1027,10 +1017,6 @@ [email protected]
+@@ -999,10 +989,6 @@ [email protected]
  .It
  [email protected]
  .It