x/crypto/ssh: Make SetDefaults disable diffie-hellman-group1-sha1 #12955
Labels
Milestone
Comments
|
Would this really fix anything, practically speaking? Group1 is already the least preferred kex anyway. Do you have any data on which implementations don't support anything but group1? Are there any clients which prefer group1 over the stronger kexes? |
|
It's a question of defensive security posture. In a perfect world, clients would protect themselves by insisting on something other than group1, but we don't live in a perfect world. In my opinion, Go's defaults should be defensive, and we now suspect that group1 is unusable for secure communication, so it has to be removed from the defaults. |
|
Change https://golang.org/cl/123595 mentions this issue: |
bored-engineer
pushed a commit
to bored-engineer/ssh
that referenced
this issue
Oct 13, 2019
This removes diffie-hellman-group1-sha1 from the list of default key exchange algorithms. This kex is considered weak and potentially vulnerable to the Logjam attack. Note: This is a backwards incompatible change: if you connect to ssh servers that do not support any key exchanges except for dh-group1-sha1, you must now specify config.KeyExchanges explicity. See also: https://www.openssh.com/legacy.html https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html Fixes golang/go#12955 Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595 Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
bored-engineer
pushed a commit
to bored-engineer/ssh
that referenced
this issue
Oct 13, 2019
This removes diffie-hellman-group1-sha1 from the list of default key exchange algorithms. This kex is considered weak and potentially vulnerable to the Logjam attack. Note: This is a backwards incompatible change: if you connect to ssh servers that do not support any key exchanges except for dh-group1-sha1, you must now specify config.KeyExchanges explicity. See also: https://www.openssh.com/legacy.html https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html Fixes golang/go#12955 Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595 Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
bored-engineer
pushed a commit
to bored-engineer/ssh
that referenced
this issue
Oct 13, 2019
This removes diffie-hellman-group1-sha1 from the list of default key exchange algorithms. This kex is considered weak and potentially vulnerable to the Logjam attack. Note: This is a backwards incompatible change: if you connect to ssh servers that do not support any key exchanges except for dh-group1-sha1, you must now specify config.KeyExchanges explicity. See also: https://www.openssh.com/legacy.html https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html Fixes golang/go#12955 Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595 Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
c-expert-zigbee
pushed a commit
to c-expert-zigbee/crypto_go
that referenced
this issue
Mar 28, 2022
This removes diffie-hellman-group1-sha1 from the list of default key exchange algorithms. This kex is considered weak and potentially vulnerable to the Logjam attack. Note: This is a backwards incompatible change: if you connect to ssh servers that do not support any key exchanges except for dh-group1-sha1, you must now specify config.KeyExchanges explicity. See also: https://www.openssh.com/legacy.html https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html Fixes golang/go#12955 Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595 Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
c-expert-zigbee
pushed a commit
to c-expert-zigbee/crypto_go
that referenced
this issue
Mar 29, 2022
This removes diffie-hellman-group1-sha1 from the list of default key exchange algorithms. This kex is considered weak and potentially vulnerable to the Logjam attack. Note: This is a backwards incompatible change: if you connect to ssh servers that do not support any key exchanges except for dh-group1-sha1, you must now specify config.KeyExchanges explicity. See also: https://www.openssh.com/legacy.html https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html Fixes golang/go#12955 Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595 Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
c-expert-zigbee
pushed a commit
to c-expert-zigbee/crypto_go
that referenced
this issue
Mar 29, 2022
This removes diffie-hellman-group1-sha1 from the list of default key exchange algorithms. This kex is considered weak and potentially vulnerable to the Logjam attack. Note: This is a backwards incompatible change: if you connect to ssh servers that do not support any key exchanges except for dh-group1-sha1, you must now specify config.KeyExchanges explicity. See also: https://www.openssh.com/legacy.html https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html Fixes golang/go#12955 Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595 Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
LewiGoddard
pushed a commit
to LewiGoddard/crypto
that referenced
this issue
Feb 16, 2023
This removes diffie-hellman-group1-sha1 from the list of default key exchange algorithms. This kex is considered weak and potentially vulnerable to the Logjam attack. Note: This is a backwards incompatible change: if you connect to ssh servers that do not support any key exchanges except for dh-group1-sha1, you must now specify config.KeyExchanges explicity. See also: https://www.openssh.com/legacy.html https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html Fixes golang/go#12955 Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595 Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
BiiChris
pushed a commit
to BiiChris/crypto
that referenced
this issue
Sep 15, 2023
This removes diffie-hellman-group1-sha1 from the list of default key exchange algorithms. This kex is considered weak and potentially vulnerable to the Logjam attack. Note: This is a backwards incompatible change: if you connect to ssh servers that do not support any key exchanges except for dh-group1-sha1, you must now specify config.KeyExchanges explicity. See also: https://www.openssh.com/legacy.html https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html Fixes golang/go#12955 Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595 Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
https://weakdh.org/sysadmin.html recommends that users of OpenSSH who want to continue to support non-elliptic-curve Diffie-Hellman should disable Group 1 support, by removing the diffie-hellman-group1-sha1 Key Exchange.
I think it would be in keeping with Go's normal forward looking and strong security posture that SetDefault does not include kexAlgoDH1SHA1 in Config.KeyExchanges. The docs could be updated to indicate that users wishing to enable this deprecated key exchange algorithm should add it at the end of Config.KeyExchanges themselves after calling SetDefaults.
The text was updated successfully, but these errors were encountered: