This is ssh client. However, I guess it can be assumed that the server is built with the same set of ciphers (only one cipher actually) too.
yup, on the router, both belongs to the same net-misc/openssh ebuild, both were compiled with the same profile.
So blowfish-cbc has been disabled in ssh for a very long time now (since 2014) for being unsafe. Not sure if it's even still in code and just disabled as a compile-time option, or has been removed completely.
that's what I have to understand.
a) enabled/disabled due to a compile-time configure flag?
b) enabled/disabled due to a compile-time patch?
I see a lot of patches applied to net-misc/openssh
HPN_VER="15.2"
HPN_PATCHES=
(
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
)
HPN_GLUE_PATCH="${PN}-9.2_p1-hpn-${HPN_VER}-glue.patch"
HPN_PATCH_DIR="HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}"
SCTP_VER="1.2"
SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
X509_VER="14.1"
X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch"
X509_HPN_GLUE_PATCH="${PN}-9.2_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
${SCTP_PATCH:+sctp? ( [url]https://dev.gentoo.org/~chutzpah/dist/openssh/[/url]${SCTP_PATCH} )}
PATCHES=
(
"${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch"
"${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
"${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch"
"${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch"
"${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch"
"${FILESDIR}/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
"${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019
"${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
)
(basic patches)
plus other patches for the "hardened" profile
plus other patches for the "embedded" profile
****** too many patches, d'oh
******
Apparently your router is very old
2023-03 built:
=net-misc/openssh-v9.2
=dev-libs/openssl-v3.0.8
according to current profile, they are 39 days older; probably it's the profile that is *VERY* old, so the person who prepared the Catalyst profile, used a very old profile on recent packages.
The best way to solve it would be to compile
I always compile things myself, this time I didn't look at the profile used for { net-misc/openssh,
dev-libs/openssl, sys-libs/zlib, ... } ssh and I simply "copied" (never copy&paste --> never, don't be lazy!!!) it and added it to the things Catalyst had to compile, with the result that whoever prepared it ... evidently made some strange choices and not documented.
So, I don't know what? why? how? ... but this time I'm taking two days to write my own profile, and recompile the whole set of packages.