Patrick Toomey
2015-05-27 13:19:36 UTC
As the users of this mailing list likely know, there has been some
recent discussion on https://weakdh.org/ about DH and small/shared
moduli. Some of us on the security team at GitHub.com were looking at
the feasibility of disabling diffie-hellman-group1-sha1 server-side.
We did an audit of connections made to our Git servers and the
majority of them do not use diffie-hellman-group1-sha1. However, we
noticed the the vast majority of clients that do connect using
diffie-hellman-group1-sha1 are JSch clients. Given that JSch added
support for diffie-hellman-group14-sha1 in more recent versions I was
expecting to see newer clients using diffie-hellman-group14-sha1.
However, it looks like Java doesn't support DH > 1024 unless you are
using Java 8 or higher. The other shared algorithm between JSch
and GitHub.com is ecdh-sha2-nistp256. I'd like to propose that the
default key exchange algorithms be modernized and reordered as
follows:
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
The above list is in line with the current SSH client default
ordering:
https://github.com/openssh/openssh-portable/blob/3e91b4e8b0dc2b4b7e7d42cf6e8994a32e4cb55e/ssh_config.5#L975-L980
.
Also, as an aside, in theory we could disable group1 server-side and newer
JSch clients would negotiate ecdh-sha2-nistp256. But, there are quiet a few
older clients connecting as well. So, it would be preferable to change the
default ordering, watch the number of group1 connections decrease over
time, and then remove server-side support for group1 when we have evidence
that a majority of users are not connecting with group1.
Patrick
recent discussion on https://weakdh.org/ about DH and small/shared
moduli. Some of us on the security team at GitHub.com were looking at
the feasibility of disabling diffie-hellman-group1-sha1 server-side.
We did an audit of connections made to our Git servers and the
majority of them do not use diffie-hellman-group1-sha1. However, we
noticed the the vast majority of clients that do connect using
diffie-hellman-group1-sha1 are JSch clients. Given that JSch added
support for diffie-hellman-group14-sha1 in more recent versions I was
expecting to see newer clients using diffie-hellman-group14-sha1.
However, it looks like Java doesn't support DH > 1024 unless you are
using Java 8 or higher. The other shared algorithm between JSch
and GitHub.com is ecdh-sha2-nistp256. I'd like to propose that the
default key exchange algorithms be modernized and reordered as
follows:
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
The above list is in line with the current SSH client default
ordering:
https://github.com/openssh/openssh-portable/blob/3e91b4e8b0dc2b4b7e7d42cf6e8994a32e4cb55e/ssh_config.5#L975-L980
.
Also, as an aside, in theory we could disable group1 server-side and newer
JSch clients would negotiate ecdh-sha2-nistp256. But, there are quiet a few
older clients connecting as well. So, it would be preferable to change the
default ordering, watch the number of group1 connections decrease over
time, and then remove server-side support for group1 when we have evidence
that a majority of users are not connecting with group1.
Patrick