[FIXED JENKINS-39738] - Enable aes192ctr and aes256ctr ciphers if JVM supports them #14
Conversation
… supports them If the JVM supports unlimited-strength encryption, we can enable more ciphers. And the new SSHD core version provides good API for it. CBC ciphers won't be added due to https://www.kb.cert.org/vuls/id/958563
|
This pull request originates from a CloudBees employee. At CloudBees, we require that all pull requests be reviewed by other CloudBees employees before we seek to have the change accepted. If you want to learn more about our process please see this explanation. |
| } | ||
| } else { | ||
| // We cannot determine if the cipher is supported, but the default configuration lists only Built-in ciphers. | ||
| // So somebody explicitly added it on his own risk. |
There was a problem hiding this comment.
if we log something here at info level would it be too chatty?
There was a problem hiding this comment.
It should happen once during the SSHD startup, so I do not think it is a big deal. But the problem is that these errors will appear in Stock Java builds, hence downgrading to FINE is probably a good approach
|
Thanks for following up with this @oleg-nenashev! |
| if (c.isSupported()) { | ||
| activatedCiphers.add(cipher); | ||
| } else { | ||
| LOGGER.log(Level.FINE, "Discovered unsupported built-in Cipher: {0}. It won't be enabled", c); |
There was a problem hiding this comment.
Recommend will not or won’t as message formats get confused by '.
|
@reviewbybees done since the last change is trivial. |
If the JVM supports unlimited-strength encryption, we can enable more ciphers.
And the new SSHD core version provides good API for it.
CBC ciphers won't be added due to https://www.kb.cert.org/vuls/id/958563 . So it is not exactly what has been requested in JENKINS-39738 though I think it is a reasonable fix.
@reviewbybees @jglick + @johnou @chillum since it was raised in #5 (comment)