source.dussan.org Git - jgit.git/commit

author	Thomas Wolf <twolf@apache.org>
	Sat, 3 Feb 2024 21:22:16 +0000 (22:22 +0100)
committer	Matthias Sohn <matthias.sohn@sap.com>
	Sat, 9 Mar 2024 21:54:22 +0000 (22:54 +0100)
commit	da7a88bceae32c66b54f4f1cbf331213663db219
tree	64da8f5e1110c7af8379d7b1d3da3e4d8d0f6767	tree \| snapshot
parent	819c5bcc8b2a2685c20e5b8e568f776b19f7db63	commit \| diff

[ssh] Implement the "Ciphers" SSH config

Upstream will remove the CBC algorithms aes128-cbc, aes192-cbc, and
aes256-cbc from the server's KEX proposal in the next release. Removal
of these algorithms by default in the client is planned for the release
after that. These CBC algorithms were found vulnerable back in 2008,[1]
and OpenSSH does not propose them: server-side since 2014, client-side
since 2017.

It is _highly_ unlikely that the removal of these algorithms by default
would affect any JGit user. Nevertheless, let's give users a way to
explicitly specify ciphers (including enabling deprecated algorithms)
via their ~/.ssh/config file.

[1] https://www.kb.cert.org/vuls/id/958563

Change-Id: I7444861df3a7f526277fef2485773a20ac74ae8a
Signed-off-by: Thomas Wolf <twolf@apache.org>

org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java		diff \| blob \| history
org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF		diff \| blob \| history
org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitClientSession.java		diff \| blob \| history