sberyozkin commented on code in PR #446: URL: https://github.com/apache/mina-sshd/pull/446#discussion_r1434923647
########## CHANGES.md: ########## @@ -36,13 +36,26 @@ ## Behavioral changes and enhancements +### [GH-445 - Terrapin attack mitigation](https://github.com/apache/mina-sshd/issues/429) + +There is a **new** `CoreModuleProperties` property that controls the mitigation for the [Terrapin attach](https://terrapin-attack.com/) via what is known as +"strict-KEX" (see [OpenSSH PROTOCOL - 1.9 transport: strict key exchange extension](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL)). +It is **disabled** by default due to its experimental nature and possible interoperability issues, so users who wish to use this feature must turn it on *explicitly*. Review Comment: IMHO it makes sense to enable it by default - otherwise the mitigation will likely not be very effective in practice, for example, users may not be aware of the risk or it may not be possible to enable it at the level of other libraries depending on sshd-core -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
