New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/crypto/ssh: Make SetDefaults disable diffie-hellman-group1-sha1 #12955
Comments
Would this really fix anything, practically speaking? Group1 is already the least preferred kex anyway. Do you have any data on which implementations don't support anything but group1? Are there any clients which prefer group1 over the stronger kexes? |
It's a question of defensive security posture. In a perfect world, clients would protect themselves by insisting on something other than group1, but we don't live in a perfect world. In my opinion, Go's defaults should be defensive, and we now suspect that group1 is unusable for secure communication, so it has to be removed from the defaults. |
Change https://golang.org/cl/123595 mentions this issue: |
This removes diffie-hellman-group1-sha1 from the list of default key exchange algorithms. This kex is considered weak and potentially vulnerable to the Logjam attack. Note: This is a backwards incompatible change: if you connect to ssh servers that do not support any key exchanges except for dh-group1-sha1, you must now specify config.KeyExchanges explicity. See also: https://www.openssh.com/legacy.html https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html Fixes golang/go#12955 Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595 Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
This removes diffie-hellman-group1-sha1 from the list of default key exchange algorithms. This kex is considered weak and potentially vulnerable to the Logjam attack. Note: This is a backwards incompatible change: if you connect to ssh servers that do not support any key exchanges except for dh-group1-sha1, you must now specify config.KeyExchanges explicity. See also: https://www.openssh.com/legacy.html https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html Fixes golang/go#12955 Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595 Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
This removes diffie-hellman-group1-sha1 from the list of default key exchange algorithms. This kex is considered weak and potentially vulnerable to the Logjam attack. Note: This is a backwards incompatible change: if you connect to ssh servers that do not support any key exchanges except for dh-group1-sha1, you must now specify config.KeyExchanges explicity. See also: https://www.openssh.com/legacy.html https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html Fixes golang/go#12955 Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595 Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
This removes diffie-hellman-group1-sha1 from the list of default key exchange algorithms. This kex is considered weak and potentially vulnerable to the Logjam attack. Note: This is a backwards incompatible change: if you connect to ssh servers that do not support any key exchanges except for dh-group1-sha1, you must now specify config.KeyExchanges explicity. See also: https://www.openssh.com/legacy.html https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html Fixes golang/go#12955 Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595 Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
This removes diffie-hellman-group1-sha1 from the list of default key exchange algorithms. This kex is considered weak and potentially vulnerable to the Logjam attack. Note: This is a backwards incompatible change: if you connect to ssh servers that do not support any key exchanges except for dh-group1-sha1, you must now specify config.KeyExchanges explicity. See also: https://www.openssh.com/legacy.html https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html Fixes golang/go#12955 Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595 Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
This removes diffie-hellman-group1-sha1 from the list of default key exchange algorithms. This kex is considered weak and potentially vulnerable to the Logjam attack. Note: This is a backwards incompatible change: if you connect to ssh servers that do not support any key exchanges except for dh-group1-sha1, you must now specify config.KeyExchanges explicity. See also: https://www.openssh.com/legacy.html https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html Fixes golang/go#12955 Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595 Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
This removes diffie-hellman-group1-sha1 from the list of default key exchange algorithms. This kex is considered weak and potentially vulnerable to the Logjam attack. Note: This is a backwards incompatible change: if you connect to ssh servers that do not support any key exchanges except for dh-group1-sha1, you must now specify config.KeyExchanges explicity. See also: https://www.openssh.com/legacy.html https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html Fixes golang/go#12955 Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595 Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
This removes diffie-hellman-group1-sha1 from the list of default key exchange algorithms. This kex is considered weak and potentially vulnerable to the Logjam attack. Note: This is a backwards incompatible change: if you connect to ssh servers that do not support any key exchanges except for dh-group1-sha1, you must now specify config.KeyExchanges explicity. See also: https://www.openssh.com/legacy.html https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html Fixes golang/go#12955 Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595 Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
https://weakdh.org/sysadmin.html recommends that users of OpenSSH who want to continue to support non-elliptic-curve Diffie-Hellman should disable Group 1 support, by removing the diffie-hellman-group1-sha1 Key Exchange.
I think it would be in keeping with Go's normal forward looking and strong security posture that SetDefault does not include kexAlgoDH1SHA1 in Config.KeyExchanges. The docs could be updated to indicate that users wishing to enable this deprecated key exchange algorithm should add it at the end of Config.KeyExchanges themselves after calling SetDefaults.
The text was updated successfully, but these errors were encountered: