IETF Logo Mail Archive

[Ssh] Re: New draft: draft-miller-sshm-strict-kex

Theo de Raadt <deraadt@openbsd.org> Wed, 19 March 2025 04:45 UTC

Return-Path: <deraadt@openbsd.org>
X-Original-To: ssh@mail2.ietf.org
Delivered-To: ssh@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id D348CE5C15A for <ssh@mail2.ietf.org>; Tue, 18 Mar 2025 21:45:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=openbsd.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qhzrlE1mIgUP for <ssh@mail2.ietf.org>; Tue, 18 Mar 2025 21:45:32 -0700 (PDT)
Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A975BE5C09C for <ssh@ietf.org>; Tue, 18 Mar 2025 21:45:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=selector1; bh=fAmR0mgPO2 BU6rZpFpvgHUh9o+cTfRJ1w3gN31fS950=; h=date:references:in-reply-to: subject:cc:to:from; d=openbsd.org; b=Tecuy5d82DqQKZz3Nsa13A5A/fARlpcmp GSfIItwlptf9k+516COepgWf8JcaIBRXmX/IoNbIV1s9dSyepI15qSVME0/ltV2VQWOWg7 x65km0DyyFHlJptjXV8G5argbqY8Y5Ae3iGhiTshlBIN0jd+kdSC7tSfpgV+xG8B1ruEJK P2QKmSdYnyLLViwkqfeUo+KaOSndAdovOuH8LdBrk3Wt0CokadO5cKR+BFEHILr9Hq8WE6 jtfj8+rtwCmM5EqVx7n7irfEkgDpqYhtZTXQtcbxEsHqVhsUQFi5uLgcNPfrP0ac2YMGJ6 G8FeHgufxgJHigt9lc5lvRfrFU7Rw==
Received: from cvs.openbsd.org (localhost [127.0.0.1]) by cvs.openbsd.org (OpenSMTPD) with ESMTP id 3e7adc0b; Tue, 18 Mar 2025 22:45:23 -0600 (MDT)
From: Theo de Raadt <deraadt@openbsd.org>
To: Tero Kivinen <kivinen@iki.fi>
In-reply-to: <26585.22297.633202.4646@fireball.acr.fi>
References: <c4d033ca-85c9-b16d-5939-51435f888b27@mindrot.org> <23954.1742222832@cvs.openbsd.org> <26584.58468.733342.890179@fireball.acr.fi> <87sena67fu.fsf@josefsson.org> <26585.20817.616119.91145@fireball.acr.fi> <87h63q1tsw.fsf@josefsson.org> <26585.22297.633202.4646@fireball.acr.fi>
Comments: In-reply-to Tero Kivinen <kivinen@iki.fi> message dated "Tue, 18 Mar 2025 13:20:57 +0200."
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <35538.1742359523.1@cvs.openbsd.org>
Date: Tue, 18 Mar 2025 22:45:23 -0600
Message-ID: <84478.1742359523@cvs.openbsd.org>
Message-ID-Hash: LGJKMBXNO2JRK3TYO54Y4CXBCHWXUG6B
X-Message-ID-Hash: LGJKMBXNO2JRK3TYO54Y4CXBCHWXUG6B
X-MailFrom: deraadt@openbsd.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Simon Josefsson <simon@josefsson.org>, Damien Miller <djm@mindrot.org>, ssh@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Ssh] Re: New draft: draft-miller-sshm-strict-kex
List-Id: "The SSH mail list will allow discussions on improving aspects of the Secure Shell (SSH) protocol." <ssh.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ssh/QCmXD6ZdKOMcJgR548XKz_51HVQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ssh>
List-Help: <mailto:ssh-request@ietf.org?subject=help>
List-Owner: <mailto:ssh-owner@ietf.org>
List-Post: <mailto:ssh@ietf.org>
List-Subscribe: <mailto:ssh-join@ietf.org>
List-Unsubscribe: <mailto:ssh-leave@ietf.org>

Tero Kivinen <kivinen@iki.fi> wrote:

> So it seems we can't make chacha20-poly1305 to mandate kex-strict, so
> we are going to be stuck with every single implenentation to have to
> include both vendor specific and non-vendor specific names forever. 

The Terrapin impacts are not restricted to chacha20-poly1305 (it is just
the most well known impact).

In the coming years, we want all 4 mixes of old / new * clients /
servers, to do strict-kex.

That means clients (in particular, since they tend to be newer) need to
utilize the vendor-specific names correctlyg talking to a server (since
they servers tend to be older), otherwise there will be vulnerable sessions.

Safety is more important than document purity.

v2.36.0 | Report a Bug | By Email | System Status