diff --git a/ChangeLog b/ChangeLog
index c5a64002c..1c1f8738b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,10 @@
    - stevesk@cvs.openbsd.org 2001/03/05 15:44:51
      [servconf.c]
      sync error message; ok markus@
+   - deraadt@cvs.openbsd.org 2001/03/05 15:56:16
+     [myproposal.h ssh.1]
+     switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster;
+     provos & markus ok
 
 20010305
  - (bal) CVS ID touch up on sshpty.[ch] and sshlogin.[ch]
@@ -4377,4 +4381,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.910 2001/03/06 01:02:41 mouring Exp $
+$Id: ChangeLog,v 1.911 2001/03/06 01:05:23 mouring Exp $
diff --git a/myproposal.h b/myproposal.h
index 03f76839b..4a9a36370 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: myproposal.h,v 1.11 2001/02/11 12:59:24 markus Exp $	*/
+/*	$OpenBSD: myproposal.h,v 1.12 2001/03/05 15:56:16 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -26,12 +26,12 @@
 #define KEX_DEFAULT_KEX		"diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"
 #define	KEX_DEFAULT_PK_ALG	"ssh-rsa,ssh-dss"
 #define	KEX_DEFAULT_ENCRYPT \
-	"3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \
-	"aes128-cbc,aes192-cbc,aes256-cbc," \
+	"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \
+	"aes192-cbc,aes256-cbc," \
 	"rijndael128-cbc,rijndael192-cbc,rijndael256-cbc," \
 	"rijndael-cbc@lysator.liu.se"
 #define	KEX_DEFAULT_MAC \
-	"hmac-sha1,hmac-md5,hmac-ripemd160," \
+	"hmac-md5,hmac-sha1,hmac-ripemd160," \
 	"hmac-ripemd160@openssh.com," \
 	"hmac-sha1-96,hmac-md5-96"
 #define	KEX_DEFAULT_COMP	"none,zlib"
diff --git a/ssh.1 b/ssh.1
index 53cebcfd7..79b075fff 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.93 2001/03/02 18:54:31 deraadt Exp $
+.\" $OpenBSD: ssh.1,v 1.94 2001/03/05 15:56:16 deraadt Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -228,7 +228,7 @@ S/Key authentication.
 .Pp
 Protocol 2 provides additional mechanisms for confidentiality
 (the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour)
-and integrity (hmac-sha1, hmac-md5).
+and integrity (hmac-md5, hmac-sha1).
 Note that protocol 1 lacks a strong mechanism for ensuring the
 integrity of the connection.
 .Pp
@@ -667,7 +667,7 @@ Multiple ciphers must be comma-separated.
 The default is
 .Pp
 .Bd -literal
-  ``3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,
+  ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
     aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,
     rijndael256-cbc,rijndael-cbc@lysator.liu.se''
 .Ed
@@ -831,7 +831,7 @@ Multiple algorithms must be comma-separated.
 The default is
 .Pp
 .Bd -literal
-  ``hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,
+  ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,
     hmac-sha1-96,hmac-md5-96''
 .Ed
 .It Cm NumberOfPasswordPrompts