[erlang-bugs] SSH library does not conform to the RFC standard

[Alex Wilson]

On Fri, 2015-07-03 at 20:46 +0000, Adam Krupicka wrote:
>         Strange, because the RFC also states
>         that diffie-hellman-group1-sha1 MUST also be supported, in the
>         paragraph above the one you are referring to (8.1)
>         
>         I guess the SSH servers are not running in an interoperability
>         mode?
> 
> 
> Sorry, I wasn't clear enough. The algorithm is supported, but is
> disabled by default in the OpenSSH version (that I've mentioned above)
> I'm using. I don't know what the reason behind that choice was,
> though.

OpenSSH have been aggressively deprecating and removing older ciphers
and kex algorithms when they are found to be weak in practice. This has
always been their policy (they consider security far more important than
compatibility), but I guess we picked the right algos to implement
originally because we've stayed compatible for quite a long time.

With reference particularly to dh-group1-sha1, this is a fixed 1024 bit
DH group, which is known to be vulnerable to an analogue of the LOGJAM
attack (see https://weakdh.org/) -- this is the reason why support for
it has been dropped by default.

They normally turn these weak ciphers and kex algos off in the server
first, and then a few versions later in the client, to avoid suddenly
annoying too many people. The dh-group1-sha1 change has also affected
some PuTTY users and those of other clients, as well.

So yes, we will need to implement the group14 variant. The difference is
fairly small, hopefully it won't be too much trouble.