mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pawel Sm7 <pawel....@gmail.com>
Subject fallback to weaker DH algorithms, moduli file integrity and generating
Date Wed, 30 Apr 2014 14:36:57 GMT
Hello,

I have 3 issues I would like to discuss.

1. Handling error scenarios if Prime cannot be found.
Mina does not support fallback to weaker Diffie-Hellman algorithm if Prime
cannot be found.

The failure approach of fall-thru to weaker Diffie-Hellman algorithm, e.g.
Group14 (embedded within the Code) if Prime cannot be found, either due to
MODULI File Access Errors or Prime Not Found in the File, is the typical
approach of most SSH Server Implementations.
OpenSSH follows this paradigm. Also it would help in communications
robustness.
It would be also nice to have a log event when the fallback happens.
Do you agree that this is an issue? When could it be implemented?

2. Moduli file integrity handling.
Could you create e.g. a SHA-256 hash fingerprint of the moduli file
contents, store it somewhere and add validation of moduli file using the
fingerprint.
This way we can deal with unauthorized tampering of moduli file. It is
potential security issue.

3. Moduli file generator
Is there a roadmap to add a moduli generator so that there’s full support
for group exchange generation and usage within Mina?
e.g. Primes could be regenerated also when moduli file is corrupted.


Regards,

Pawel

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message