Achim Hügen created SSHD-1136:
---------------------------------
Summary: Diffie Hellmann group exchange falls back to insecure
DHG1 if agreement on moduli size is not possible
Key: SSHD-1136
URL: https://issues.apache.org/jira/browse/SSHD-1136
Project: MINA SSHD
Issue Type: Bug
Affects Versions: 2.6.0
Reporter: Achim Hügen
After implementation of SSHD-1107 we configured the minimum modulo size of
diffie-hellman-group-exchange-sha256 to 2048 bit and expected clients that
doesn't support this minimum to not be able to connect.
But what happens is that, those clients still can connect and this warning is
logged:
{code}
chooseDH(DHGEXServer[diffie-hellman-group-exchange-sha256])[ShaftServerSession[null@/10.42.110.99:44222]][prf=1024,
min=1024, max=1024] No suitable primes found, defaulting to DHG1
{code}
My understanding is, that this is a fallback to diffie-hellman-group1-sha1
which is week, see https://www.openssh.com/legacy.html
Mina should make this fallback configurable and not activate it by default.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
