Hi,
you can use the following function to do so.
You have to specify a whitelist of algorithms you want to use.
The first algorithm in your list will be used first if possible else the next algorithm will be tried.
Make sure you setup your wanted algorithms for both communication directions client <-> server !
Have a look at: libssh2_session_methods
-> to list at runtime all currently active used algorithms
Have a look at: libssh2_session_supported_algs
-> to get a list at runtime for currently supported/implemented algorithms
Have a look at: libssh2_session_method_pref
-> setup your algorithms you want to use
//
//possible errors here
//
//OK - zero
//failure - negative number
//
//LIBSSH2_ERROR_INVAL - The requested method type was invalid.
//LIBSSH2_ERROR_ALLOC - An internal memory allocation call failed.
//LIBSSH2_ERROR_METHOD_NOT_SUPPORTED - The requested method is not supported.
//
//DESC:
//-------------------------------------------------------------------------
//libssh2_session_method_pref - set preferred key exchange method
//
//session - Session instance as returned by libssh2_session_init_ex,
//method_type - One of the Method Type constants.
//prefs - Coma delimited list of preferred methods to use
//with the most preferred listed first and the least preferred listed last.
//If a method is listed which is not supported by libssh2
//it will be ignored and not sent to the remote host during protocol negotiation.
//Set preferred methods to be negotiated.
//These preferences must be set prior to calling libssh2_session_handshake,
//as they are used during the protocol initiation phase.
//
// libssh2_session_method_pref() constants
// LIBSSH2_METHOD_KEX 0 //key exchange : client <-> server
// LIBSSH2_METHOD_HOSTKEY 1 //host key fingerprint : client <-> server
// LIBSSH2_METHOD_CRYPT_CS 2 //data encryption : client --> server
// LIBSSH2_METHOD_CRYPT_SC 3 //data decryption : client <-- server
// LIBSSH2_METHOD_MAC_CS 4 //mac hash : client --> server
// LIBSSH2_METHOD_MAC_SC 5 //mac hash : client <-- server
// LIBSSH2_METHOD_COMP_CS 6 //data compression : client --> server
// LIBSSH2_METHOD_COMP_SC 7 //data decompression : client <-- server
// LIBSSH2_METHOD_LANG_CS 8 //language ssh login : client --> server
// LIBSSH2_METHOD_LANG_SC 9 //language local : client <-- server
//
//RETURN: int
//
libssh2_session_method_pref(handleSession, LIBSSH2_METHOD_CRYPT_CS, PreferedAlgorithmList);
libssh2_session_method_pref(handleSession, LIBSSH2_METHOD_CRYPT_SC, PreferedAlgorithmList);
// bad example
PreferedAlgorithmList = "aes128-cbc,aes256-cbc,aes128-gcm"
-> first tries aes128-cbc
-> first tries aes256-cbc
-> first tries aes128-gcm
// better example, tries first highest if not possible go down
PreferedAlgorithmList = "aes256-cbc,aes128-cbc,aes128-gcm"
-> first tries aes256-cbc
-> first tries aes128-cbc
-> first tries aes128-gcm
=> 3des-cbc or blowfish-cbc for example never used for encryption.
// algorithm which are not specified are not used ! there is no hidden try.
Von: libssh2-devel [mailto:libssh2-devel-***@cool.haxx.se] Im Auftrag von Dhananjay kumar
Gesendet: Donnerstag, 18. Oktober 2018 13:28
An: libssh2-***@cool.haxx.se
Betreff: libssh2 APIs to configure different algorithms
Hi,
We use libssh2 ssh client (verison 1.4.2) in our application and we have a requirement to use/offer certain Key Exchange(diffie-hellman-group14-sha1 only), Encryption(aes128-cbc,aes256-cbc, aes128-gcm only), MAC(hmac-sha1, hmac-sha1-96 only) and HostKey(ssh-rsa only) algorithms from SSH client end.
I am new to libssh2 and trying to figure out if there are libssh2 APIs available to configure set of algorithms before starting a session. From https://www.libssh2.org/ , I understand libssh2 supports all above mentioned algorithms and also lot more. I am looking for options to disable the extra algorithms on the fly (or) to enable only limited set of algorithms.
Appreciate any pointers, code references.
Thanks.