Chilkat v9.5.0.97 makes changes to mitigate the Terrapin attack problem.
It does so by modifying the selection of the default algorithms in the following ways:
- chacha20-poly1305@openssh.com is no longer included by default. It can be re-added by specifying “+chacha20-poly1305@openssh.com” in the UncommonOptions property.
- We are going to keep the “-cbc” encryption modes because potentially too many servers would be affected by eliminating these encryption algorithms. However, we no longer include the “-etm” MAC algorithms, which are:
- hmac-sha1-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- hmac-sha2-512-etm@openssh.com
The -etm MAC algorithms can be re-added by specifying “+ssh-hmac-etm” in UncommonOptions.
For more information about the Terrapin attack, see https://terrapin-attack.com/
Chilkat (with the above modifications) has been tested using the vulnerability scanner
found at https://github.com/RUB-NDS/Terrapin-Scanner/releases/tag/v1.1.0
