[
https://issues.apache.org/jira/browse/SSHD-589?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15008444#comment-15008444
]
Goldstein Lyor commented on SSHD-589:
-------------------------------------
* Let's agree to disagree on the issue of whether this is a regression or not.
* You need to use _SecurityUtils.getKeyPairGenerator("DH")_, this way if there
is a non-default security provider it will be picked up.
* The code needs to be run only *once* - i.e., if calling
_BuiltinDHFactories.dhgex256.isSupported()_ multiple times, the code is
executed only the *first* time and then caches its result for subsequent calls
(take into account the calls may be *multi-threaded* so account for that as
well).
* Please provide also a add a test to the _BuiltinDHFactoriesTest_ that shows
that your suggested code correctly detects the issue - e.g., on Oracle's JVM vs
OpenJDK. You need to disable the automatic registration of _Bouncycastle_ (set
"org.apache.sshd.registerBouncyCastle" system property to "false" on the
_@BeforeClass_ and remove it on _@AfterClass_).
* Please provide a pull request or a patch that can be easily applied for
testing and review.
> [regression][kex] dhgex256 is disabled in 1.x if native JCE is being used
> -------------------------------------------------------------------------
>
> Key: SSHD-589
> URL: https://issues.apache.org/jira/browse/SSHD-589
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 1.0.0, 1.1.0
> Environment: Fedora
> $ java -version
> openjdk version "1.8.0_60"
> OpenJDK Runtime Environment (build 1.8.0_60-b27)
> OpenJDK 64-Bit Server VM (build 25.60-b23, mixed mode)
> Gentoo
> $ java -version
> openjdk version "1.8.0_60"
> OpenJDK Runtime Environment (IcedTea 3.0.0pre06+ra9817b9f8a21) (Gentoo
> icedtea-3.0.0_pre06)
> OpenJDK 64-Bit Server VM (build 25.60-b23, mixed mode)
> Oracle
> NOTE1: Disable SunEC provider at jre/lib/security/java.security to reproduce.
> NOTE2: Install UnlimitedJCEPolicyJDK8
> $ java -version
> java version "1.8.0_65"
> Java(TM) SE Runtime Environment (build 1.8.0_65-b17)
> Java HotSpot(TM) 64-Bit Server VM (build 25.65-b01, mixed mode)
> $ sshd -V
> OpenSSH_6.9p1, OpenSSL 1.0.1k-fips 8 Jan 2015
> Reproduce server: dev.gentoo.org (Kex only)
> Reporter: Alon Bar-Lev
> Priority: Minor
> Attachments: 0001-SSHD-589-Logging-improvements.patch,
> 0001-SSHD-589-enable-dhgex256-if-4096-DH-is-supported.patch, test1-0.14.log,
> test1-master.log, test1.tar.gz
>
>
> Using:
> 1. Same JVM to run test of 1.x and 0.x
> 2. The SunEC provider is not available.
> 3. BouncyCastle is not used.
> 4. The same Fedora-22 remote is accessed.
> Using sshd-core-0.14 works, using sshd-core-1.0.1(master, and any 1.x)
> produces:
> java.lang.IllegalStateException: Unable to negotiate key exchange for kex
> algorithms (client:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 / server:
> [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1)
> at
> org.apache.sshd.common.session.AbstractSession.negotiate(AbstractSession.java:1334)
> at
> org.apache.sshd.common.session.AbstractSession.handleKexInit(AbstractSession.java:478)
> at
> org.apache.sshd.common.session.AbstractSession.doHandleMessage(AbstractSession.java:412)
> at
> org.apache.sshd.common.session.AbstractSession.handleMessage(AbstractSession.java:361)
> Per Lyor request, added some more debug information into master.
> Attached:
> 1. Full test environment (test1.tar.gz) a directory per version, test using:
> JAVA_OPTS="-Djava.util.logging.config.file=./logging.properties"
> ./ssh-test.sh --host=XXXX --password=XXXX --command="echo hello"
> 2. Full debug log of 0.14 and master.
> 3. Diff of logging.
> This is a behaviour change in 1.x, so far we have failed to nail it.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
