Our DevOps team has an old network management tool (using Java 6) that they're upgrading. Previously it used telnet to connect to switches; they're attempting to replace that with SSH.
The library they're using doesn't have the key exchange algorithm which the switches use. It does, however, have compatible ciphers and MAC algorithms, so we can leave that out for now.
The encryption and Our 3810M and 5400Zrl2 switches are in `secure-mode standard` with firmware versions KB.16.02 and KB.16.03 and appear to only accept `diffie-hellman-group14-sha1`. I understand that this uses a group size of 2048 bits and is acceptable for use.
This is a log (generated by their program) from one attempt to connect to the switches:
2017-03-15 12:59:12 INFO main:56 - jsCH: Connecting to <SWITCH IP ADDRESS> port 22
2017-03-15 12:59:12 INFO main:56 - jsCH: kex: <SWITCH>: diffie-hellman-group14-sha1 --keyExchange
. . .
2017-03-15 12:59:12 INFO main:56 - jsCH: kex: <SOFTWARE>: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
. . .
2017-03-15 12:59:12 INFO main:56 - jsCH: kex: <SOFTWARE>: none
2017-03-15 12:59:12 INFO main:56 - jsCH: Disconnecting from <SWITCH IP ADDRESS> port 22
`diffie-hellman-group1-sha1` is not secure due to being within the theoretical range of Logjam, however `diffie-hellman-group-exchange-sha256` and `diffie-hellman-group-exchange-sha1` can be sufficient if the client requests a group size of 2048.
Do the 3810M and 5400Zrl2 switches have these key exchanges available for use? If so, how would one go about to enable them?
#5400