diff options
| author | Thomas Wolf <twolf@apache.org> | 2024-02-03 22:22:16 +0100 |
|---|---|---|
| committer | Matthias Sohn <matthias.sohn@sap.com> | 2024-03-09 22:54:22 +0100 |
| commit | da7a88bceae32c66b54f4f1cbf331213663db219 (patch) | |
| tree | 64da8f5e1110c7af8379d7b1d3da3e4d8d0f6767 /org.eclipse.jgit.ssh.apache.test | |
| parent | 819c5bcc8b2a2685c20e5b8e568f776b19f7db63 (diff) | |
| download | jgit-da7a88bceae32c66b54f4f1cbf331213663db219.tar.gz jgit-da7a88bceae32c66b54f4f1cbf331213663db219.zip | |
[ssh] Implement the "Ciphers" SSH config
Upstream will remove the CBC algorithms aes128-cbc, aes192-cbc, and
aes256-cbc from the server's KEX proposal in the next release. Removal
of these algorithms by default in the client is planned for the release
after that. These CBC algorithms were found vulnerable back in 2008,[1]
and OpenSSH does not propose them: server-side since 2014, client-side
since 2017.
It is _highly_ unlikely that the removal of these algorithms by default
would affect any JGit user. Nevertheless, let's give users a way to
explicitly specify ciphers (including enabling deprecated algorithms)
via their ~/.ssh/config file.
[1] https://www.kb.cert.org/vuls/id/958563
Change-Id: I7444861df3a7f526277fef2485773a20ac74ae8a
Signed-off-by: Thomas Wolf <twolf@apache.org>
Diffstat (limited to 'org.eclipse.jgit.ssh.apache.test')
| -rw-r--r-- | org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java b/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java index a8fcca7b8e..873945780f 100644 --- a/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java +++ b/org.eclipse.jgit.ssh.apache.test/tst/org/eclipse/jgit/transport/sshd/ApacheSshTest.java @@ -861,4 +861,37 @@ public class ApacheSshTest extends SshTestBase { verifyAuthLog(e.getMessage(), "log in"); } + @Test + public void testCipherModificationSingle() throws Exception { + cloneWith( + "ssh://" + TEST_USER + "@localhost:" + testPort + + "/doesntmatter", + defaultCloneDir, null, + "IdentityFile " + privateKey1.getAbsolutePath(), + "Ciphers aes192-ctr"); + } + + @Test + public void testCipherModificationAdd() throws Exception { + cloneWith( + "ssh://" + TEST_USER + "@localhost:" + testPort + + "/doesntmatter", + defaultCloneDir, null, + "IdentityFile " + privateKey1.getAbsolutePath(), + "Ciphers +3des-cbc"); + } + + @Test + public void testCipherModificationUnknown() throws Exception { + TransportException e = assertThrows(TransportException.class, + () -> cloneWith( + "ssh://" + TEST_USER + "@localhost:" + testPort + + "/doesntmatter", + defaultCloneDir, null, + "IdentityFile " + privateKey1.getAbsolutePath(), + // The server is not configured to use this deprecated + // algorithm + "Ciphers 3des-cbc")); + assertTrue(e.getLocalizedMessage().contains("3des-cbc")); + } } |