DH Group Exchange Fallback

Tim Broberg Tim.Broberg at servicenow.com
Mon Sep 25 03:40:12 AEST 2017

I see.

Yes, using explicitly disabled algorithms is a very surprising behavior.
    - Tim.

On 9/23/17, 10:32 AM, "Joseph S Testa II" <jtesta at positronsecurity.com> wrote:

    On 09/22/2017 06:55 PM, Tim Broberg wrote:
    > Do I understand correctly, that you find the security of group 14 unacceptable and yet you left it enabled?
    In the end, I'm trying to ensure a minimum equivalent of 128-bits of 
    security.  Group14 is 2048-bits, which roughly translates to 112-bits. [1]
    To this end, I disabled the "diffie-hellman-group14-sha1" and 
    "diffie-hellman-group14-sha256" kex algorithms, but the problem is that 
    the group exchange "diffie-hellman-group-exchange-sha256" is not 
    respecting the admin's wishes, and falls back to group14, even when 
    specifically told not to (by the admin removing 2048-bit groups in 
    There's currently no way to ensure 100% that 2048-bit DH is disabled.
        - Joe
    [1] See NIST Special Publication 800-57, Part 1, Revision 4, p. 53, 

More information about the openssh-unix-dev mailing list