lgoldstein commented on code in PR #446: URL: https://github.com/apache/mina-sshd/pull/446#discussion_r1435103523
########## CHANGES.md: ########## @@ -36,13 +36,26 @@ ## Behavioral changes and enhancements +### [GH-445 - Terrapin attack mitigation](https://github.com/apache/mina-sshd/issues/429) + +There is a **new** `CoreModuleProperties` property that controls the mitigation for the [Terrapin attach](https://terrapin-attack.com/) via what is known as +"strict-KEX" (see [OpenSSH PROTOCOL - 1.9 transport: strict key exchange extension](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL)). +It is **disabled** by default due to its experimental nature and possible interoperability issues, so users who wish to use this feature must turn it on *explicitly*. Review Comment: I struggled with this, but have decided (PMC prerogative...) that since it is a "fresh" feature without much mileage behind it to disable it by default in order to safeguard stability. Once we release it "into the wild" and gain some usage mileage + (hopefully positive) feedback from our users, we will make it enabled by default in a future release. FYI, we have used a similar policy when we deprecated older RSA/DSA keys. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org