With the latest release of Maverick Legacy 1.7.35, we have introduced a new configuration component, AdaptiveConfiguration. This new class allows you to configure the algorithm preferences for your API deployments globally and on a pattern matching basis using the remote endpoint details such as SSH identifier and hostname.
While this release has fledgling support for this class, we expect its features to be extended over coming releases to include file-based configuration and named configuration sets.
Let's take a look at what is currently possible.
Setting Global Algorithm Preferences
The following call will configure the global ciphers in order of preference:
AdaptiveConfiguration.setGlobalConfig(
AdaptiveConfiguration.CIPHERS,
"aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com");
We can also do the same for:
AdaptiveConfiguration.MACS
AdaptiveConfiguration.KEY_EXCHANGE
AdaptiveConfiguration.PUBLIC_KEYS
AdaptiveConfiguration.COMPRESSION
There is no need to set individual preferences via SshContext and Ssh2Context. These values will override context preferences, and the order of precedence used is the order you supply the algorithm names.
Setting Pattern Matching Preferences
You can configure matching against the SSH identifier of the remote endpoint. For example, to target OpenSSH servers, we could use:
AdaptiveConfiguration.setPatternConfig("OpenSSH.*",
AdaptiveConfiguration.CIPHERS,
"aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com");
or we could target a specific version of OpenSSH:
AdaptiveConfiguration.setPatternConfig("OpenSSH_8.1.*",
AdaptiveConfiguration.CIPHERS,
"aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com");
The pattern value should be a complete regular expression.
Similarly, for client connections, we could match the outgoing hostname.
AdaptiveConfiguration.setPatternConfig("localhost",
AdaptiveConfiguration.CIPHERS,
"aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com");
In the server API, we can match the configuration against the client's IP address.
Command Line Configuration
You can supply some options via the command line for more flexibility in production. All global configuration options can be specified using the following properties.
-Dmaverick.ciphers=<a,b,c,d>
-Dmaverick.macs=<a,b,c,d>
-Dmaverick.kex=<a,b,c,d>
-Dmaverick.publickeys=<a,b,c,d>
-Dmaverick.compressions=<a,b,c,d>
You can provide non-regular expression matching via system properties; for example, to match localhost connections, you can use
-Dlocalhost.ciphers=<a,b,c,d>
You can match the exact SSH identifier too, this is an exact match and not a regular expression:
-DOpenSSH_8.1.ciphers=<a,b,c,d>