-
We have hardened our server (bitbucket on-premise) so that only "safe" curves and ciphers are used for key exchange. Now, when we run flux bootstrap we get the following message (when using
It appears flux only supports the following key exchange ciphers and we could not find a way to alter it:
All of these NIST curves, as well as DH group 14, are marked as weak on SafeCurves (https://safecurves.cr.yp.to/) except the openssh extension to We have found a ticket with Atlassian (https://jira.atlassian.com/browse/BSERV-10175) which discusses this and where they state that openssh-specific ciphers (eg sha256@libssh.org) are not supported so this is not an option for us. It would be fantastic if we could get some more control over the ciphers which are supported by flux, such as enabling some more diffie-hellman groups, so we can retain our compliance while still using flux. Any advice is appreciated as we have been using flux v1 for a very long time without incident and are very keen to migrate to v2. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
To be able to give you configurable options, there must be support for more KEX algorithms first. Looking at the underlying Go library that is used for SSH connections |
Beta Was this translation helpful? Give feedback.
To be able to give you configurable options, there must be support for more KEX algorithms first. Looking at the underlying Go library that is used for SSH connections
golang/crypto
, there are not many Diffie Hellman groups that are supported, except fordiffie-hellman-group-exchange-sha1
anddiffie-hellman-group-exchange-sha256
: https://github.com/golang/crypto/blob/57b3e21c3d5606066a87e63cfe07ec6b9f0db000/ssh/kex.go#L30-L34