File 2840-ssh-Disable-diffie-hellman-group14-sha1-and-diffie-h.patch of Package erlang
From 76ae1859896c23fb30253b7d28dbf4c9298a4e3d Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Mon, 16 Mar 2020 17:35:47 +0100
Subject: [PATCH] ssh: Disable 'diffie-hellman-group14-sha1' and
'diffie-hellman-group-exchange-sha1'
---
lib/ssh/doc/src/ssh_app.xml | 32 ++++++++++++++++++++------------
lib/ssh/src/ssh_transport.erl | 5 ++++-
2 files changed, 24 insertions(+), 13 deletions(-)
diff --git a/lib/ssh/doc/src/ssh_app.xml b/lib/ssh/doc/src/ssh_app.xml
index 129f5a96b8..87faf203ae 100644
--- a/lib/ssh/doc/src/ssh_app.xml
+++ b/lib/ssh/doc/src/ssh_app.xml
@@ -159,14 +159,18 @@
<item>curve25519-sha256</item>
<item>curve25519-sha256@libssh.org</item>
<item>curve448-sha512</item>
- <item>diffie-hellman-group14-sha1</item>
- <item>diffie-hellman-group-exchange-sha1</item>
- <item>(diffie-hellman-group1-sha1, retired: It can be enabled with the
- <seealso marker="ssh:ssh#type-preferred_algorithms_common_option">preferred_algorithms</seealso>
- or
- <seealso marker="ssh:ssh#type-modify_algorithms_common_option">modify_algorithms</seealso>
- options. Use for example the Option value <c>{modify_algorithms, [{append, [{kex,['diffie-hellman-group1-sha1']}]}]}</c>)</item>
</list>
+ <p>The following unsecure <c>sha1</c> algorithms are now disabled by default:</p>
+ <list>
+ <item>(diffie-hellman-group14-sha1)</item>
+ <item>(diffie-hellman-group-exchange-sha1)</item>
+ <item>(diffie-hellman-group1-sha1)</item>
+ </list>
+ <p>They can be enabled with the
+ <seealso marker="ssh:ssh#type-preferred_algorithms_common_option">preferred_algorithms</seealso>
+ or
+ <seealso marker="ssh:ssh#type-modify_algorithms_common_option">modify_algorithms</seealso>
+ options. Use for example the Option value <c>{modify_algorithms, [{append, [{kex,['diffie-hellman-group1-sha1']}]}]}</c>)</p>
</item>
<tag>Public key algorithms</tag>
@@ -190,12 +194,16 @@
<item>hmac-sha2-256</item>
<item>hmac-sha2-512</item>
<item>hmac-sha1</item>
- <item>(hmac-sha1-96 It can be enabled with the
- <seealso marker="ssh:ssh#type-preferred_algorithms_common_option">preferred_algorithms</seealso>
- or
- <seealso marker="ssh:ssh#type-modify_algorithms_common_option">modify_algorithms</seealso>
- options. Use for example the Option value <c>{modify_algorithms, [{append, [{mac,['hmac-sha1-96']}]}]}</c>)</item>
</list>
+ <p>The following unsecure <c>sha1</c> algorithm is now disabled by default:</p>
+ <list>
+ <item>(hmac-sha1-96)</item>
+ </list>
+ <p>It can be enabled with the
+ <seealso marker="ssh:ssh#type-preferred_algorithms_common_option">preferred_algorithms</seealso>
+ or
+ <seealso marker="ssh:ssh#type-modify_algorithms_common_option">modify_algorithms</seealso>
+ options. Use for example the Option value <c>{modify_algorithms, [{append, [{mac,['hmac-sha1-96']}]}]}</c>)</p>
</item>
<tag>Encryption algorithms (ciphers)</tag>
diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
index 4b89ea8586..2cad1bced1 100644
--- a/lib/ssh/src/ssh_transport.erl
+++ b/lib/ssh/src/ssh_transport.erl
@@ -101,7 +101,10 @@ algo_two_spec_class(_) -> false.
default_algorithms(kex) ->
supported_algorithms(kex, [
%% Gone in OpenSSH 7.3.p1:
- 'diffie-hellman-group1-sha1'
+ 'diffie-hellman-group1-sha1',
+ %% Gone in OpenSSH 8.2
+ 'diffie-hellman-group14-sha1',
+ 'diffie-hellman-group-exchange-sha1'
]);
default_algorithms(cipher) ->
--
2.16.4
