DH Group Exchange Fallback
Joseph S Testa II
jtesta at positronsecurity.com
Wed Sep 27 01:40:29 AEST 2017
On 09/24/2017 11:13 PM, Mark D. Baushke wrote:
> I wish to withdraw my suggested patch to dh.c as what OpenSSH is using
> for falling back to a value related to the client max is correct for
> some flavors of that concept.
> That said, I suspect what Joe wants is for the max provided by the
> client to be advisory such that the minimum value provided by the moduli
> file would be used if the client max is smaller than that value.
> That is, if the client sent min=1024,n=1024,max=1025 and the minimum
> modulus in the moduli file was min_moduli=3072bits, that the client max
> value be ignored in favor of using the MAX(max,min_moduli). In this way,
> the adinistrator that no longer wanted to support 2048 bit group14 for
> clients would be able to support a 3072-bit minimum to be sent for the
> Is this what you wanted to address Joe?
Sure, that's one way to handle it. As I mentioned in my reply to djm,
the server can either disconnect or just send the 3072-bit modulus and
let the client decide what it wants to do.
I don't feel too strongly about either option, as long as the end result
is the code respects the admin's decision on minimum modulus sizes to
use. That's my main concern.
> I would have no objection to such a patch for OpenSSH.
> -- Mark
More information about the openssh-unix-dev