Uploaded image for project: 'MINA SSHD'
  1. MINA SSHD
  2. SSHD-1136

Diffie Hellmann group exchange falls back to insecure DHG1 if agreement on modulo size is not possible

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.6.0
    • 2.7.0
    • None

    Description

      After implementation of SSHD-1107 we configured the minimum modulo size of diffie-hellman-group-exchange-sha256 to 2048 bit and expected clients that doesn't support this minimum to not be able to connect.
      But what happens is that, those clients still can connect and this warning is logged:

      chooseDH(DHGEXServer[diffie-hellman-group-exchange-sha256])[ShaftServerSession[null@/10.42.110.99:44222]][prf=1024, min=1024, max=1024] No suitable primes found, defaulting to DHG1

      My understanding is, that this is a fallback to diffie-hellman-group1-sha1 which is week, see https://www.openssh.com/legacy.html

      Mina should make this fallback configurable and not activate it by default.

      Attachments

        Activity

          People

            lgoldstein Lyor Goldstein
            ahuegendp Achim Hügen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: