[asterisk-dev] Usage of weak key algorithm on Gerrit
Rusty Newton
rnewton at digium.com
Fri Feb 26 16:02:32 CST 2016
On Fri, Feb 26, 2016 at 3:48 PM, Matt Fredrickson <creslin at digium.com> wrote:
> Reply below.
>
> On Thu, Feb 25, 2016 at 9:59 AM, Leif Madsen <leif at leifmadsen.com> wrote:
>>
>> Apologies if this is a well known issue and I'm just stirring the pot :)
>>
>> Attempted to check out Asterisk from Gerrit today, and got a message I
>> didn't recognize.
>>
>> > Cloning into 'asterisk'...
>> > Unable to negotiate with 76.164.171.232: no matching key exchange
>> > method found. Their offer: diffie-hellman-group1-sha1
>> > fatal: Could not read from remote repository.
>> >
>> > Please make sure you have the correct access rights
>> > and the repository exists.
>>
>> Quick search turned up the answer though. A weak key implementation on
>> Gerrit (which my OpenSSH disables by default):
>>
>> http://www.openssh.com/legacy.html
>>
>> Workaround was to add to my ~/.ssh/config:
>>
>> > Host gerrit.asterisk.org
>> > KexAlgorithms +diffie-hellman-group1-sha1
>>
>> Perhaps this could be modified so that the key exchange is slightly more
>> secure? It's all open source stuff here, so the exchange may not be THAT
>> necessary, but might not be a bad idea :)
>
>
>
> Thanks for the heads up on this Leif. We'll see if we can look into this.
>
Josh is taking care of it. Looks like Gerrit needs some updated Bouncy
Castle libraries.
https://code.google.com/p/gerrit/issues/detail?id=3517
--
Rusty Newton
Digium, Inc. | Community Support Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
direct: +1 256 428 6200
Check us out at: http://digium.com & http://asterisk.org
More information about the asterisk-dev
mailing list