From unknown Thu Mar 28 13:39:53 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#472: Upgrade SSH key exchange and message authentication code from SHA1 to SHA2 Reply-To: =?UTF-8?Q?Aur=C3=A9lien?= Grosdidier , 472@bugs.x2go.org Resent-From: =?UTF-8?Q?Aur=C3=A9lien?= Grosdidier Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Thu, 03 Apr 2014 14:35:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: report 472 X-X2Go-PR-Package: x2goclient X-X2Go-PR-Keywords: Received: via spool by submit@bugs.x2go.org id=B.139653540219972 (code B); Thu, 03 Apr 2014 14:35:02 +0000 Received: (at submit) by bugs.x2go.org; 3 Apr 2014 14:30:02 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_40,FREEMAIL_FROM, T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by ymir (Postfix) with ESMTPS id 30E455DB20 for ; Thu, 3 Apr 2014 16:30:01 +0200 (CEST) Received: by mail-wi0-f172.google.com with SMTP id hi2so7869730wib.11 for ; Thu, 03 Apr 2014 07:30:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type; bh=HXoQRUPGNr9l1QkPH7wuHBrSnbhn1ZVQB/RMHet0RRI=; b=wWKiYJ+XWwbNbSWiLAlL+1vWbh3AIORTybKd+JbUBS1Q8XDUheAK4ipyysJr3d6eTz +zsAUe6xukSUuCYAxU2GT+Fz4HfQJ9AtdrQy8vzKhVewuc7c+WFRmU/6D7LaAalqQHft aQ0kncDnLfkeL6qF+H+LiuNU9kO1vPsEnYFBiNhWfcESPrOlzsPktx6FryWcEV2JMl8M rzUVve9epr1qPGxWzljw6tOhkS3phPknZ0lenQd8LfhnwCjJbo+AUe9xXWtS7nV4AuxS QuQMKGbqTv+0E7SKjnS9Eh3orH5VSLv57fgOA0gfIi7LCLjX4gdCQ5Y4JAgZGniJsWAN QmCg== X-Received: by 10.180.39.173 with SMTP id q13mr11731773wik.26.1396535400581; Thu, 03 Apr 2014 07:30:00 -0700 (PDT) Received: from [192.168.0.10] (latitude77.org. [78.212.28.115]) by mx.google.com with ESMTPSA id t1sm1435905wia.1.2014.04.03.07.29.58 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 03 Apr 2014 07:29:58 -0700 (PDT) Message-ID: <533D7062.2090803@gmail.com> Date: Thu, 03 Apr 2014 16:29:54 +0200 From: =?UTF-8?Q?Aur=C3=A9lien?= Grosdidier User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: submit@bugs.x2go.org X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="hQWVFn6DLvLwSm5T57tun55jOUBNGtnJN" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --hQWVFn6DLvLwSm5T57tun55jOUBNGtnJN Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Package: x2goclient Version: 4.0.1.3-1 When establishing the connection to a server, x2goclient rely on diffie-hellman-group1-sha1 and hmac-sha1 as key exchange algorithm and message authentication code, respectively. Unfortunately, SHA1 can't be considered that safe: - https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html - http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html As a consequence, the connection of x2goclient to an hardened SSH server (ie. not supporting SHA1) fails: kex error : did not find one of algos diffie-hellman-group1-sha1 in list ... kex error : did not find one of algos hmac-sha1 in list ... This problem could be solved: - either by using SHA2 KexAlgorithms and MACs in x2goclient - or by allowing users to choose between SHA1 or SHA2 hash functions --hQWVFn6DLvLwSm5T57tun55jOUBNGtnJN Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTPXBlAAoJEF25vWdzB3fIFQQQAIyGi+ibC0ilEuKjgrLtfORr qNvvU8Z2Cumq0GAnuZe6+e11HD5NXz9fD1p8iYNevJjUdHKeMDh/sZm9ipHRJvdl /cTWnUOw9DuQIZfDKbOavxxoLxEkGbRDO0B4thm8NBuJJ2pSEHD6TRDq98N4z0ZS TIDwNQG4tgkQjbh6BEusE3dWzvctdR00C9FH6sHIHusa+E9jURstk3LZYuRQWZVS +Gu4XjnwDnIrjS+LoSxVwhCu+fV73vIx7W2Gq7IHYyhTFoRv45gHWZgZ5eJrVRV9 MQXoSAhUxyAFNpRpIiHBjaCf1kmYIkXr0sZNicBSLwsFl2mm47Wx2uMG40IucPy0 YCoJ6ls3WmgFTGKvCjjDwCbh0bSkAH+LTljbqKpTy0dl7lDx7vuleWKRnH+ERdHd RAvtp2JCIYWT/uiFEka/Q3dZnpe4kkFLgYhdWS6vZRLulEO3aWY5D4OuxquoDsHV MlOzK2nmnACbL+YCV4o7YSMfN3Jlpn/Xfevyjyr+wntA8EK0SeUas8nCzGqdrysH intfn4Da+BEaDMXvqMQCbTMGWDuflQ/4euAfByU/oZhFNNhbSe7rAZOK6aFEH1A9 7gyR4mjvA/HC4yopu9W2Y3a6GC6izOlOqsdf/Ij3btdPFRtPvYO2Ti4rF2hZ++m9 dAqqYEVSTJ6E11hqMlLf =PVmN -----END PGP SIGNATURE----- --hQWVFn6DLvLwSm5T57tun55jOUBNGtnJN--