Mercurial > 510Connectbot
changeset 358:37f4a3b506d9
move nist ec curves to lower priority
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Sun, 03 Aug 2014 11:16:40 -0700 |
| parents | 46c2115ae1c8 |
| children | 93621e963303 |
| files | src/ch/ethz/ssh2/ServerConnection.java src/ch/ethz/ssh2/transport/KexManager.java xml/510connectbot.in |
| diffstat | 3 files changed, 21 insertions(+), 17 deletions(-) [+] |
line wrap: on
line diff
--- a/src/ch/ethz/ssh2/ServerConnection.java Fri Aug 01 13:34:58 2014 -0700 +++ b/src/ch/ethz/ssh2/ServerConnection.java Sun Aug 03 11:16:40 2014 -0700 @@ -307,16 +307,12 @@ private void fixCryptoWishList(CryptoWishList next_cryptoWishList, KeyPair next_dsa_key, KeyPair next_rsa_key, KeyPair next_ec_key) { List<String> algos = new ArrayList<String>(); + if (next_rsa_key != null) algos.add("ssh-rsa"); + if (next_dsa_key != null) algos.add("ssh-dss"); if (next_ec_key != null) algos.add("ecdsa-sha2-nistp521"); - if (next_ec_key != null) algos.add("ecdsa-sha2-nistp384"); - if (next_ec_key != null) algos.add("ecdsa-sha2-nistp256"); - if (next_dsa_key != null) algos.add("ssh-dss"); - - if (next_rsa_key != null) algos.add("ssh-rsa"); - next_cryptoWishList.serverHostKeyAlgorithms = new String[algos.size()]; algos.toArray(next_cryptoWishList.serverHostKeyAlgorithms); }
--- a/src/ch/ethz/ssh2/transport/KexManager.java Fri Aug 01 13:34:58 2014 -0700 +++ b/src/ch/ethz/ssh2/transport/KexManager.java Sun Aug 03 11:16:40 2014 -0700 @@ -14,8 +14,7 @@ import java.security.interfaces.RSAPrivateKey; import java.security.interfaces.ECPrivateKey; import java.util.Arrays; -import java.util.Set; -import java.util.TreeSet; +import java.util.ArrayList; import ch.ethz.ssh2.ConnectionInfo; import ch.ethz.ssh2.DHGexParameters; @@ -39,24 +38,24 @@ public abstract class KexManager implements MessageHandler { protected static final Logger log = Logger.getLogger(KexManager.class); - private static final Set<String> HOSTKEY_ALGS = new TreeSet<String>(); + private static final ArrayList<String> HOSTKEY_ALGS = new ArrayList<String>(); static { + HOSTKEY_ALGS.add("ssh-rsa"); + HOSTKEY_ALGS.add("ssh-dss"); HOSTKEY_ALGS.add("ecdsa-sha2-nistp256"); HOSTKEY_ALGS.add("ecdsa-sha2-nistp384"); HOSTKEY_ALGS.add("ecdsa-sha2-nistp521"); - HOSTKEY_ALGS.add("ssh-rsa"); - HOSTKEY_ALGS.add("ssh-dss"); } - private static final Set<String> KEX_ALGS = new TreeSet<String>(); + private static final ArrayList<String> KEX_ALGS = new ArrayList<String>(); static { - KEX_ALGS.add("ecdh-sha2-nistp256"); - KEX_ALGS.add("ecdh-sha2-nistp384"); - KEX_ALGS.add("ecdh-sha2-nistp521"); KEX_ALGS.add("diffie-hellman-group-exchange-sha256"); KEX_ALGS.add("diffie-hellman-group-exchange-sha1"); KEX_ALGS.add("diffie-hellman-group14-sha1"); KEX_ALGS.add("diffie-hellman-group1-sha1"); + KEX_ALGS.add("ecdh-sha2-nistp256"); + KEX_ALGS.add("ecdh-sha2-nistp384"); + KEX_ALGS.add("ecdh-sha2-nistp521"); } KexState kxs;
--- a/xml/510connectbot.in Fri Aug 01 13:34:58 2014 -0700 +++ b/xml/510connectbot.in Sun Aug 03 11:16:40 2014 -0700 @@ -80,8 +80,17 @@ </para></listitem> <listitem><para> - The underlying ssh code has been updated from trilead to - ganymed. Elliptic curve crypto is now supported. + The underlying compression code from jcraft has + been updated. The underlying socks proxy code has + been updated. The underlying ssh code has been + updated from trilead to ganymed. Elliptic curve + crypto is now supported, but the NIST curves are + placed after the RSA and DH types in the list of + key exchange algorithms, so they should only be + used if the server does not support RSA or + DH. This change is based on on a general lack of + trust in NIST curves that have possibly been + compromised by NSA. </para></listitem> <listitem><para>