From: Tomas Cere Date: Wed, 3 Jun 2015 14:57:31 +0000 (+0200) Subject: BUG 3555: disable RC4 in mina-sshd X-Git-Tag: release/beryllium~510 X-Git-Url: https://git.opendaylight.org/gerrit/gitweb?p=controller.git;a=commitdiff_plain;h=1915e780a3e1e1746c0c5071a7bda8aad57d9d36;hp=bd7166799e97b569c14103748886028479631a1c BUG 3555: disable RC4 in mina-sshd There are various security problems with RC4, this removes RC4 from the ciphers used in the netconf ssh server. Change-Id: I8973daf2dfb3670f0c77ffc9099eab2cc2a6cd05 Signed-off-by: Tomas Cere (cherry picked from commit 598345a6d62c4f0a2cfb55bfbc22b6ddd9c9bab7) --- diff --git a/opendaylight/netconf/netconf-ssh/src/main/java/org/opendaylight/controller/netconf/ssh/SshProxyServer.java b/opendaylight/netconf/netconf-ssh/src/main/java/org/opendaylight/controller/netconf/ssh/SshProxyServer.java index e41a3eaa2c..b91bdc8da6 100644 --- a/opendaylight/netconf/netconf-ssh/src/main/java/org/opendaylight/controller/netconf/ssh/SshProxyServer.java +++ b/opendaylight/netconf/netconf-ssh/src/main/java/org/opendaylight/controller/netconf/ssh/SshProxyServer.java @@ -13,14 +13,19 @@ import io.netty.channel.EventLoopGroup; import java.io.IOException; import java.nio.channels.AsynchronousChannelGroup; import java.util.HashMap; +import java.util.Iterator; +import java.util.List; import java.util.Map; import java.util.concurrent.ExecutorService; import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.TimeUnit; import org.apache.sshd.SshServer; +import org.apache.sshd.common.Cipher; import org.apache.sshd.common.FactoryManager; import org.apache.sshd.common.NamedFactory; import org.apache.sshd.common.RuntimeSshException; +import org.apache.sshd.common.cipher.ARCFOUR128; +import org.apache.sshd.common.cipher.ARCFOUR256; import org.apache.sshd.common.io.IoAcceptor; import org.apache.sshd.common.io.IoConnector; import org.apache.sshd.common.io.IoHandler; @@ -39,6 +44,8 @@ import org.apache.sshd.server.ServerFactoryManager; */ public class SshProxyServer implements AutoCloseable { + private static final ARCFOUR128.Factory DEFAULT_ARCFOUR128_FACTORY = new ARCFOUR128.Factory(); + private static final ARCFOUR256.Factory DEFAULT_ARCFOUR256_FACTORY = new ARCFOUR256.Factory(); private final SshServer sshServer; private final ScheduledExecutorService minaTimerExecutor; private final EventLoopGroup clientGroup; @@ -55,6 +62,15 @@ public class SshProxyServer implements AutoCloseable { sshServer.setHost(sshProxyServerConfiguration.getBindingAddress().getHostString()); sshServer.setPort(sshProxyServerConfiguration.getBindingAddress().getPort()); + //remove rc4 ciphers + final List> cipherFactories = sshServer.getCipherFactories(); + for (Iterator> i = cipherFactories.iterator(); i.hasNext(); ) { + final NamedFactory factory = i.next(); + if (factory.getName().contains(DEFAULT_ARCFOUR128_FACTORY.getName()) + || factory.getName().contains(DEFAULT_ARCFOUR256_FACTORY.getName())) { + i.remove(); + } + } sshServer.setPasswordAuthenticator(sshProxyServerConfiguration.getAuthenticator()); sshServer.setKeyPairProvider(sshProxyServerConfiguration.getKeyPairProvider());