Cipher compliance should be implementation independant (cipher == cipher@implementation => true)

[exploide]

Just scanned a machine and it recommends "Remove these key exchange algorithms: curve25519-sha256". Since this is probably the best one, it should not be removed. I guess this happens because ssh_scan is only aware of [email protected] (including the @... part).

[floatingatoll]

For the record - which precise builds of your software combination are you using (of SSH and SSL libraries) that advertises the cipher without the @ suffix?

…

On Sun, Jul 16, 2017 at 07:05 Jannik Vieten ***@***.***> wrote: Just scanned a machine and it recommends "Remove these key exchange algorithms: curve25519-sha256". Since this is probably the best one, it should not be removed. I guess this happens because ssh_scan is only aware of ***@***.*** (including the @... part). — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#405>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAFqDB9buTZBkZIPjzJBQase25Y0T-RTks5sOhivgaJpZM4OZTnc> .

[exploide]

It is:

# cat /etc/redhat-release 
Fedora release 26 (Twenty Six)
# ssh -Version
OpenSSH_7.5p1, OpenSSL 1.1.0f-fips  25 May 2017

Actually, it advertises both, curve25519-sha256 and [email protected].

From the changelogs of OpenSSH 7.4:

sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
method. This is identical to the currently-supported method named
"[email protected]".

[claudijd]

I will try to fix this today and have it resolved.

My basic plan is this...

Make ciphers a Ruby object instead of a string so I can defined their comparability such that curve25519-sha256 == curve25519-sha256@foo => true

This shouldn't be that involved and I'll update folks when I'm done.

[claudijd]

This is also a duplicate of mozilla/ssh_scan_api#79, but since the fix is in the ssh_scan lib I'll keep this as a parent and link so the other reporter has visibility that a fix is underway.