DH Group Exchange Fallback

Joseph S Testa II jtesta at positronsecurity.com
Wed Sep 27 01:40:29 AEST 2017

On 09/24/2017 11:13 PM, Mark D. Baushke wrote:
> I wish to withdraw my suggested patch to dh.c as what OpenSSH is using
> for falling back to a value related to the client max is correct for
> some flavors of that concept.
> That said, I suspect what Joe wants is for the max provided by the
> client to be advisory such that the minimum value provided by the moduli
> file would be used if the client max is smaller than that value.
> That is, if the client sent min=1024,n=1024,max=1025 and the minimum
> modulus in the moduli file was min_moduli=3072bits, that the client max
> value be ignored in favor of using the MAX(max,min_moduli). In this way,
> the adinistrator that no longer wanted to support 2048 bit group14 for
> clients would be able to support a 3072-bit minimum to be sent for the
> client.
> Is this what you wanted to address Joe?

Sure, that's one way to handle it.  As I mentioned in my reply to djm, 
the server can either disconnect or just send the 3072-bit modulus and 
let the client decide what it wants to do.

I don't feel too strongly about either option, as long as the end result 
is the code respects the admin's decision on minimum modulus sizes to 
use.  That's my main concern.

> I would have no objection to such a patch for OpenSSH.
> 	-- Mark

More information about the openssh-unix-dev mailing list