ConfD User Community

Algorithms for key exchange

Hi team,
I go through the confd user guide, and looks like Confd only support following algorithms for key exchange,any more algorithms be supported in ConfD basic?

diffie-hellman-group18-sha512’,

‘diffie-hellman-group14-sha256’,

‘diffie-hellman-group-exchange-sha256’,

‘diffie-hellman-group-exchange-sha1’,

‘diffie-hellman-group14-sha1’

'diffie-hellman-group1-sha1

Hi,
Seems like a documentation bug in the confd.conf(5) man page
As of confd-7.3, these two key exchange algorithms are also supported (in addition to the ones you and the confd.conf man page list)

  • diffie-hellman-group18-sha512
  • diffie-hellman-group14-sha256

So a confd.conf setup like this one may be desirable to prioritize diffie-hellman-group18-sha512 over diffie-hellman-group14-sha256, but only allow those two algorithms:

  <ssh>
    <algorithms>
      <kex>diffie-hellman-group18-sha512 diffie-hellman-group14-sha256</kex>
    </algorithms>
  </ssh>

Thanks Cohult, does ConfdD support any of these cipher suite in ConfD basic?
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

If you want to use NETCONF over TLS (your list above is from GnuTLS) instead of SSH I suggest you check out this demo:


As that demo use GnuTLS for NETCONF over TLS, yes, the ciphers you listed are supported (by GnuTLS).
If you want to run that demo and have Docker installed while using ConfD Basic, in the setup.sh file, just replace
CONFD_VERSION=“7.3”
with
CONFD_VERSION=“basic-7.3”
and run the “./setup.sh” script with the ConfD installation files placed in the same folder.

Thank you, I will try with this.