CODEWITHSUNDEEP
javasshjava-8jsch
Mike
Mike

Reputation: 3311

JSch Disable specific Ciphers without changing code

I work with a number of financial institutions, and one of them requested that we disable some of our ciphers used to connect to them. Specifically, they requested hmac-md5 and aes128-ctr be removed, and they recommended we remove aes128-cbc due to them being less secure.

Is there a way, either through command line switches, or maybe the Java security file, to easily remove these ciphers?

Looking at some of the examples, it looks like I would have to build the list of the ones I want without the above three (poor example copied from the AES example): 

session.setConfig("cipher.s2c", "aes128-cbc,3des-cbc,blowfish-cbc");
session.setConfig("cipher.c2s", "aes128-cbc,3des-cbc,blowfish-cbc");
session.setConfig("CheckCiphers", "aes128-cbc");

Obviously, if they remove them on the server side, my client won't use them, but I could see this becoming more common. I don't really want to go through a code change at the moment.

Snippet from the debug log: 

INFO: Remote version string: SSH-2.0-WS_FTP-SSH_8.5.0
INFO: Local version string: SSH-2.0-JSCH-0.1.54
INFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
INFO: CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
INFO: CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
INFO: SSH_MSG_KEXINIT sent
INFO: SSH_MSG_KEXINIT received
INFO: kex: server: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
INFO: kex: server: ssh-dss,ssh-rsa
INFO: kex: server: aes256-ctr,aes192-ctr,aes128-ctr,3des-cbc,blowfish-cbc,aes256-cbc,aes128-cbc
INFO: kex: server: aes256-ctr,aes192-ctr,aes128-ctr,3des-cbc,blowfish-cbc,aes256-cbc,aes128-cbc
INFO: kex: server: hmac-sha1,hmac-md5,hmac-sha2-256,hmac-sha2-384,hmac-sha2-512
INFO: kex: server: hmac-sha1,hmac-md5,hmac-sha2-256,hmac-sha2-384,hmac-sha2-512
INFO: kex: server: none
INFO: kex: server: none
INFO: kex: server:
INFO: kex: server:
INFO: kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
INFO: kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: none
INFO: kex: client: none
INFO: kex: client:
INFO: kex: client:
INFO: kex: server->client aes128-ctr hmac-md5 none
INFO: kex: client->server aes128-ctr hmac-md5 none

Upvotes: 3

Views: 5577

Answers (1)

Martin Prikryl
Martin Prikryl

Reputation: 202652

JSch does not load the default configuration from anywhere, by default.

So there's no way to change the configuration, unless your code is explicitly ready for that.

There's an easy way to implement this though. You can use OpenSSHConfig class that is able to parse a file with a syntax of common OpenSSH ssh_config file.

OpenSSHConfig config = new OpenSSHConfig();
config.parse("/some/path/ssh_config-like-file");
JSch.setConfigRepository(config);

The ssh_config-like file can then contain:

Ciphers aes128-cbc,3des-cbc,blowfish-cbc

Having that said, it really makes no sense for them to ask you to remove the ciphers. It's their job not to allow the ciphers on their server.

Upvotes: 2

Related Questions