| Issue 1507: | Add support for CTR ciphers | |
| 2 people starred this issue and may be notified of changes. | Back to list |
CBC ciphers are considered vulnerable[1]. It's now recommended practice to prefer CTR ciphers, and some security guidelines even require disabling CBC ciphers[2]. It means that Gerrit is unusable in these environments. Unless I am mistaken, CTR ciphers are supported already by JCE, so this should be a straight-forward patch that is mostly copy/pasting of the AES*CBC cipher code. I've submitted this request to upstream[3]. However, Gerrit could add this ciphers internally with minimal code if MINA SSHD doesn't take up the issue. [1] http://www.openssh.com/txt/cbc.adv [2] http://svn.fedorahosted.org/svn/aqueduct/trunk/compliance/Bash/STIG/rhel-5-beta/prod/GEN005511.sh [3] https://issues.apache.org/jira/browse/SSHD-180
Sep 17, 2012
#1
Ian.Kuml...@gmail.com
Oct 22, 2012
I am not aware of the implementation issues that you have identified. For my purposes, 40mb/s would be more than sufficient for our software development. At best, your issue seems to be against the JRE you use and not against the Gerrit project. Note that [3] was closed and completed, although a new release has not be made yet.
Jul 14, 2014
My IT department likes to have scans come up as clean as possible. I would be interested in a configuration option to disable the CBC ciphers that are currently throwing issues.
Jul 14, 2014
You can configure the ciphers used by setting the sshd.cipher setting for the SSH daemon. ( https://gerrit-review.googlesource.com/Documentation/install.html#cryptography ) The upcoming 2.9 release now enables support for the various CTR ciphers if you also install the JCE extensions.
Sep 22, 2014
I just upgraded to Gerrit 2.9, and I can confirm that I now have the option to use CTR ciphers, so this issue can be closed.
Sep 22, 2014
(No comment was entered for this change.)
Status:
Released
Labels: FixedIn-2.9 |
|
| ► Sign in to add a comment |