Re: Can we disable diffie-hellman-group-exchange-sha1 by default?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Can we disable diffie-hellman-group14-sha1 too?

On Thu, Feb 14, 2019 at 10:23 PM Mark D. Baushke <mdb@xxxxxxxxxxx> wrote:
>
> Hi John,
>
> The short answer is YES.
>
> Jon DeVree <nuxi@xxxxxxxxxxx> writes:
>
> > I ask because the removal of diffie-hellman-group-exchange-sha1 happened
> > accidently in 7.8 due to a mistake in a change to readconf.c. I noticed
> > this and filed a bug about it along with a patch to fix readconf.c to use
> > KEX_CLIENT_* like it used to:
>
> The diffie-hellman-group-exchange-sha1 is an optional key exchange
> method provided by RFC4419 and updated by RFC8270.
>
> Support for it is not required and may (and in my opinion should) be
> disabled by default without any impact to the SSHv2 protocol.
>
> The only two Mandatory To Implement (MTI) key exchange methods are those
> in RFC3253 (diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1).
> Even though they are MTIs, that just means you need to be able configure
> them, there is no mandatory requirement that a given installation enable
> them by default.
>
>         Enjoy!
>         -- Mark
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux