Issue 1507: Add support for CTR ciphers
Status:  Released
Owner: ----
Closed:  Sep 2014
Reported by geekmug, Aug 5, 2012
CBC ciphers are considered vulnerable[1]. It's now recommended practice to prefer CTR ciphers, and some security guidelines even require disabling CBC ciphers[2]. It means that Gerrit is unusable in these environments.

Unless I am mistaken, CTR ciphers are supported already by JCE, so this should be a straight-forward patch that is mostly copy/pasting of the AES*CBC cipher code.

I've submitted this request to upstream[3]. However, Gerrit could add this ciphers internally with minimal code if MINA SSHD doesn't take up the issue.

[1] http://www.openssh.com/txt/cbc.adv
[2] http://svn.fedorahosted.org/svn/aqueduct/trunk/compliance/Bash/STIG/rhel-5-beta/prod/GEN005511.sh
[3] https://issues.apache.org/jira/browse/SSHD-180
Sep 17, 2012
#1 Ian.Kuml...@gmail.com
Is the version available in JCE threaded, like:
http://www.psc.edu/index.php/hpn-ssh

I benched my new server and it peaks at ~40 mb/s and this seems related to the non-threading nature of how it currently works. (then streams got me up to 1.93 gbit/s)
Oct 22, 2012
#2 geekmug
I am not aware of the implementation issues that you have identified. For my purposes, 40mb/s would be more than sufficient for our software development. At best, your issue seems to be against the JRE you use and not against the Gerrit project.

Note that [3] was closed and completed, although a new release has not be made yet.
Jul 14, 2014
#3 gavinswa...@gmail.com
My IT department likes to have scans come up as clean as possible. I would be interested in a configuration option to disable the CBC ciphers that are currently throwing issues.
Jul 14, 2014
#4 m...@talios.com
You can configure the ciphers used by setting the sshd.cipher setting for the SSH daemon. ( https://gerrit-review.googlesource.com/Documentation/install.html#cryptography )

The upcoming 2.9 release now enables support for the various CTR ciphers if you also install the JCE extensions.
Sep 22, 2014
#5 geekmug
I just upgraded to Gerrit 2.9, and I can confirm that I now have the option to use CTR ciphers, so this issue can be closed.
Sep 22, 2014
Project Member #6 David.Os...@gmail.com
(No comment was entered for this change.)
Status: Released
Labels: FixedIn-2.9