Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/ssh: library deprecates ciphers over-eagerly #12131

wwaites opened this issue Aug 13, 2015 · 3 comments

x/crypto/ssh: library deprecates ciphers over-eagerly #12131

wwaites opened this issue Aug 13, 2015 · 3 comments


Copy link

@wwaites wwaites commented Aug 13, 2015


"This is based on RFC 4253, section 6.4, but with hmac-md5 variants
 removed because they have reached the end of their useful life."

Unfortunately this is wishful thinking. ssh servers should not use old ciphers,
but sometimes they do, and we still need to manage them. Sometimes we
have no control over the server implementation -- in this instance it's
Mikrotik routers. Deprecated ciphers are still useful in this circumstance
even though in an ideal world this would not be the case.

I'd work on making a patch, but as this appears to be a conscious choice
I want to check here first to make sure I'm not wasting my time if it would
be rejected out of hand.

@mikioh mikioh changed the title ssh library deprecates ciphers over-eagerly x/crypto/ssh: library deprecates ciphers over-eagerly Aug 13, 2015
@mikioh mikioh added this to the Unreleased milestone Aug 13, 2015
Copy link

@bradfitz bradfitz commented Aug 14, 2015

/cc @agl

Copy link

@hanwen hanwen commented Aug 18, 2015

This is a conscious choice. Note that starting with version 7, OpenSSH is also leaving out deprecated ciphers by default.

Adding hmac-md5 should be fairly trivial to add to a local copy of go.crypto.

@agl agl self-assigned this Aug 22, 2015
Copy link

@agl agl commented Aug 22, 2015

If there's a significant population of devices that need this then it could probably be added, but disabled by default. But I think that this is the first time that hmac-md5 has been requested so a local solution is appropriate for now.

@agl agl closed this Aug 22, 2015
@golang golang locked and limited conversation to collaborators Aug 22, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants
You can’t perform that action at this time.