[asterisk-dev] Usage of weak key algorithm on Gerrit

Leif Madsen leif at leifmadsen.com
Thu Feb 25 09:59:54 CST 2016


Apologies if this is a well known issue and I'm just stirring the pot :)

Attempted to check out Asterisk from Gerrit today, and got a message I
didn't recognize.

>    Cloning into 'asterisk'...
>    Unable to negotiate with 76.164.171.232: no matching key exchange
method found. Their offer: diffie-hellman-group1-sha1
>    fatal: Could not read from remote repository.
>
>    Please make sure you have the correct access rights
>    and the repository exists.

Quick search turned up the answer though. A weak key implementation on
Gerrit (which my OpenSSH disables by default):

http://www.openssh.com/legacy.html

Workaround was to add to my ~/.ssh/config:

>    Host gerrit.asterisk.org
>        KexAlgorithms +diffie-hellman-group1-sha1

Perhaps this could be modified so that the key exchange is slightly more
secure? It's all open source stuff here, so the exchange may not be THAT
necessary, but might not be a bad idea :)

Thanks!

-- 
Leif Madsen
http://www.oreilly.com/catalog/asterisk
http://www.leifmadsen.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20160225/238a6c87/attachment.html>


More information about the asterisk-dev mailing list