Can we disable diffie-hellman-group14-sha1 too? On Thu, Feb 14, 2019 at 10:23 PM Mark D. Baushke <mdb@xxxxxxxxxxx> wrote: > > Hi John, > > The short answer is YES. > > Jon DeVree <nuxi@xxxxxxxxxxx> writes: > > > I ask because the removal of diffie-hellman-group-exchange-sha1 happened > > accidently in 7.8 due to a mistake in a change to readconf.c. I noticed > > this and filed a bug about it along with a patch to fix readconf.c to use > > KEX_CLIENT_* like it used to: > > The diffie-hellman-group-exchange-sha1 is an optional key exchange > method provided by RFC4419 and updated by RFC8270. > > Support for it is not required and may (and in my opinion should) be > disabled by default without any impact to the SSHv2 protocol. > > The only two Mandatory To Implement (MTI) key exchange methods are those > in RFC3253 (diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1). > Even though they are MTIs, that just means you need to be able configure > them, there is no mandatory requirement that a given installation enable > them by default. > > Enjoy! > -- Mark > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
