Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecation of SSH ciphers #12138

Open
adiroiban opened this issue Apr 24, 2024 · 1 comment
Open

Deprecation of SSH ciphers #12138

adiroiban opened this issue Apr 24, 2024 · 1 comment
Labels
conch security

Comments

@adiroiban
Copy link
Member 

          > at least begin adding deprecation warnings to the DSA bits in Conch

Since you mention it, I should bring up that we have been deprecating stuff in Conch in fairly useless and annoying ways thus far, and we need to both (A) clean that up, and (B) take care to only actually emit deprecation warnings to useful places when you actually use stuff. Consider that conch --version does this on trunk:

$ conch --version    
/Users/glyph/Projects/Twisted/src/twisted/conch/ssh/transport.py:106: CryptographyDeprecationWarning: Blowfish has been deprecated and will be removed in a future release
  b"blowfish-cbc": (algorithms.Blowfish, 16, modes.CBC),
/Users/glyph/Projects/Twisted/src/twisted/conch/ssh/transport.py:110: CryptographyDeprecationWarning: CAST5 has been deprecated and will be removed in a future release
  b"cast128-cbc": (algorithms.CAST5, 16, modes.CBC),
/Users/glyph/Projects/Twisted/src/twisted/conch/ssh/transport.py:115: CryptographyDeprecationWarning: Blowfish has been deprecated and will be removed in a future release
  b"blowfish-ctr": (algorithms.Blowfish, 16, modes.CTR),
/Users/glyph/Projects/Twisted/src/twisted/conch/ssh/transport.py:116: CryptographyDeprecationWarning: CAST5 has been deprecated and will be removed in a future release
  b"cast128-ctr": (algorithms.CAST5, 16, modes.CTR),
Twisted version: 24.3.0.post0

This doesn't help anyone; I didn't ask for any of those algorithms and I shouldn't be seeing ugly warnings just for launching conch itself. Similarly if you start the server, the warnings just go to stderr of twist on startup, rather than to a log where an admin might actually have a hope of doing something about them.

Fixing this is certainly out of scope for this particular issue, but we should not make this problem worse if we can avoid it.

Originally posted by @glyph in #12135 (comment)
@adiroiban
Copy link
Member Author

I am happy to look into a "clean" deprecation method for conch.

In the past, old ciphers were just removed from conch ... so I ended up with with a fork in which I am adding them back :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
conch security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@adiroiban