You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mina.apache.org by "Achim Hügen (Jira)" <ji...@apache.org> on 2021/03/02 08:15:00 UTC

[jira] [Created] (SSHD-1136) Diffie Hellmann group exchange falls back to insecure DHG1 if agreement on moduli size is not possible

Achim Hügen created SSHD-1136:
---------------------------------

             Summary: Diffie Hellmann group exchange falls back to insecure DHG1 if agreement on moduli size is not possible
                 Key: SSHD-1136
                 URL: https://issues.apache.org/jira/browse/SSHD-1136
             Project: MINA SSHD
          Issue Type: Bug
    Affects Versions: 2.6.0
            Reporter: Achim Hügen


After implementation of SSHD-1107 we configured the minimum modulo size of diffie-hellman-group-exchange-sha256 to 2048 bit and expected clients that doesn't support this minimum to not be able to connect.
But what happens is that, those clients still can connect and this warning is logged:
{code}
chooseDH(DHGEXServer[diffie-hellman-group-exchange-sha256])[ShaftServerSession[null@/10.42.110.99:44222]][prf=1024, min=1024, max=1024] No suitable primes found, defaulting to DHG1
{code}

My understanding is, that this is a fallback to diffie-hellman-group1-sha1 which is week, see https://www.openssh.com/legacy.html

Mina should make this fallback configurable and not activate it by default.




--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org