BUG 3555: disable RC4 in mina-sshd 50/21850/2
authorTomas Cere <tcere@cisco.com>
Wed, 3 Jun 2015 14:57:31 +0000 (16:57 +0200)
committerGerrit Code Review <gerrit@opendaylight.org>
Mon, 8 Jun 2015 08:34:18 +0000 (08:34 +0000)
There are various security problems with RC4, this removes
RC4 from the ciphers used in the netconf ssh server.

Change-Id: I8973daf2dfb3670f0c77ffc9099eab2cc2a6cd05
Signed-off-by: Tomas Cere <tcere@cisco.com>
(cherry picked from commit 598345a6d62c4f0a2cfb55bfbc22b6ddd9c9bab7)

opendaylight/netconf/netconf-ssh/src/main/java/org/opendaylight/controller/netconf/ssh/SshProxyServer.java

index e41a3ea..b91bdc8 100644 (file)
@@ -13,14 +13,19 @@ import io.netty.channel.EventLoopGroup;
 import java.io.IOException;
 import java.nio.channels.AsynchronousChannelGroup;
 import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
 import java.util.Map;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.TimeUnit;
 import org.apache.sshd.SshServer;
+import org.apache.sshd.common.Cipher;
 import org.apache.sshd.common.FactoryManager;
 import org.apache.sshd.common.NamedFactory;
 import org.apache.sshd.common.RuntimeSshException;
+import org.apache.sshd.common.cipher.ARCFOUR128;
+import org.apache.sshd.common.cipher.ARCFOUR256;
 import org.apache.sshd.common.io.IoAcceptor;
 import org.apache.sshd.common.io.IoConnector;
 import org.apache.sshd.common.io.IoHandler;
@@ -39,6 +44,8 @@ import org.apache.sshd.server.ServerFactoryManager;
  */
 public class SshProxyServer implements AutoCloseable {
 
+    private static final ARCFOUR128.Factory DEFAULT_ARCFOUR128_FACTORY = new ARCFOUR128.Factory();
+    private static final ARCFOUR256.Factory DEFAULT_ARCFOUR256_FACTORY = new ARCFOUR256.Factory();
     private final SshServer sshServer;
     private final ScheduledExecutorService minaTimerExecutor;
     private final EventLoopGroup clientGroup;
@@ -55,6 +62,15 @@ public class SshProxyServer implements AutoCloseable {
         sshServer.setHost(sshProxyServerConfiguration.getBindingAddress().getHostString());
         sshServer.setPort(sshProxyServerConfiguration.getBindingAddress().getPort());
 
+        //remove rc4 ciphers
+        final List<NamedFactory<Cipher>> cipherFactories = sshServer.getCipherFactories();
+        for (Iterator<NamedFactory<Cipher>> i = cipherFactories.iterator(); i.hasNext(); ) {
+            final NamedFactory<Cipher> factory = i.next();
+            if (factory.getName().contains(DEFAULT_ARCFOUR128_FACTORY.getName())
+                    || factory.getName().contains(DEFAULT_ARCFOUR256_FACTORY.getName())) {
+                i.remove();
+            }
+        }
         sshServer.setPasswordAuthenticator(sshProxyServerConfiguration.getAuthenticator());
         sshServer.setKeyPairProvider(sshProxyServerConfiguration.getKeyPairProvider());
 

©2013 OpenDaylight, A Linux Foundation Collaborative Project. All Rights Reserved.
OpenDaylight is a registered trademark of The OpenDaylight Project, Inc.
Linux Foundation and OpenDaylight are registered trademarks of the Linux Foundation.
Linux is a registered trademark of Linus Torvalds.