As the users of this mailing list likely know, there has been some recent discussion on https://weakdh.org/ about DH and small/shared moduli. Some of us on the security team at GitHub.com were looking at the feasibility of disabling diffie-hellman-group1-sha1 server-side. We did an audit of connections made to our Git servers and the majority of them do not use diffie-hellman-group1-sha1. However, we noticed the the vast majority of clients that do connect using diffie-hellman-group1-sha1 are JSch clients. Given that JSch added support for diffie-hellman-group14-sha1 in more recent versions I was expecting to see newer clients using diffie-hellman-group14-sha1. However, it looks like Java doesn't support DH > 1024 unless you are using Java 8 or higher. The other shared algorithm between JSch and GitHub.com is ecdh-sha2-nistp256. I'd like to propose that the default key exchange algorithms be modernized and reordered as follows:
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 The above list is in line with the current SSH client default ordering: https://github.com/openssh/openssh-portable/blob/3e91b4e8b0dc2b4b7e7d42cf6e8994a32e4cb55e/ssh_config.5#L975-L980 . Also, as an aside, in theory we could disable group1 server-side and newer JSch clients would negotiate ecdh-sha2-nistp256. But, there are quiet a few older clients connecting as well. So, it would be preferable to change the default ordering, watch the number of group1 connections decrease over time, and then remove server-side support for group1 when we have evidence that a majority of users are not connecting with group1. Patrick
------------------------------------------------------------------------------
_______________________________________________ JSch-users mailing list JSch-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jsch-users
