sberyozkin commented on code in PR #446: URL: https://github.com/apache/mina-sshd/pull/446#discussion_r1435360419
########## CHANGES.md: ########## @@ -36,14 +36,38 @@ ## Behavioral changes and enhancements +### [GH-445 - Terrapin attack mitigation](https://github.com/apache/mina-sshd/issues/429) + +There is a **new** `CoreModuleProperties` property that controls the mitigation for the [Terrapin attack](https://terrapin-attack.com/) via what is known as +"strict-KEX" (see [OpenSSH PROTOCOL - 1.9 transport: strict key exchange extension](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL)). +It is **disabled** by default due to its experimental nature and possible interoperability issues, so users who wish to use this feature must turn it on *explicitly*. Review Comment: @lgoldstein sorry for the noise as I could not open the earlier discussion. So, it is a security hardening fix and as such keeping such fixes disabled is not great IMHO, the affected cipher has been marked as deprecated in the list of built in ciphers for a while AFAIK. In any case, please feel free to close this comment too, thanks This PR is great otherwise. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org