Add support for CTR ciphers

CandyShop / gerrit

Automatically exported from code.google.com/p/gerrit

Apache License 2.0

1 stars 0 forks source link

Add support for CTR ciphers #1507

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

CBC ciphers are considered vulnerable[1]. It's now recommended practice to 
prefer CTR ciphers, and some security guidelines even require disabling CBC 
ciphers[2]. It means that Gerrit is unusable in these environments.

Unless I am mistaken, CTR ciphers are supported already by JCE, so this should 
be a straight-forward patch that is mostly copy/pasting of the AES*CBC cipher 
code.

I've submitted this request to upstream[3]. However, Gerrit could add this 
ciphers internally with minimal code if MINA SSHD doesn't take up the issue.

[1] http://www.openssh.com/txt/cbc.adv
[2] 
http://svn.fedorahosted.org/svn/aqueduct/trunk/compliance/Bash/STIG/rhel-5-beta/
prod/GEN005511.sh
[3] https://issues.apache.org/jira/browse/SSHD-180

Original issue reported on code.google.com by geek...@gmail.com on 5 Aug 2012 at 7:22

GoogleCodeExporter commented 9 years ago

Is the version available in JCE threaded, like:
http://www.psc.edu/index.php/hpn-ssh

I benched my new server and it peaks at ~40 mb/s and this seems related to the 
non-threading nature of how it currently works. (then streams got me up to 1.93 
gbit/s)

Original comment by Ian.Kuml...@gmail.com on 17 Sep 2012 at 10:47

GoogleCodeExporter commented 9 years ago

I am not aware of the implementation issues that you have identified. For my 
purposes, 40mb/s would be more than sufficient for our software development. At 
best, your issue seems to be against the JRE you use and not against the Gerrit 
project.

Note that [3] was closed and completed, although a new release has not be made 
yet.

Original comment by geek...@gmail.com on 22 Oct 2012 at 6:32

GoogleCodeExporter commented 9 years ago

My IT department likes to have scans come up as clean as possible. I would be 
interested in a configuration option to disable the CBC ciphers that are 
currently throwing issues.

Original comment by gavinswa...@gmail.com on 14 Jul 2014 at 6:11

GoogleCodeExporter commented 9 years ago

You can configure the ciphers used by setting the sshd.cipher setting for the 
SSH daemon. ( 
https://gerrit-review.googlesource.com/Documentation/install.html#cryptography )

The upcoming 2.9 release now enables support for the various CTR ciphers if you 
also install the JCE extensions.

Original comment by m...@talios.com on 15 Jul 2014 at 4:12

GoogleCodeExporter commented 9 years ago

I just upgraded to Gerrit 2.9, and I can confirm that I now have the option to 
use CTR ciphers, so this issue can be closed.

Original comment by geek...@gmail.com on 22 Sep 2014 at 3:39

GoogleCodeExporter commented 9 years ago

Original comment by David.Os...@gmail.com on 22 Sep 2014 at 3:44

Changed state: Released
Added labels: FixedIn-2.9