My Oracle Support Banner

Security Scanner Reports a "potentially weak key exchange algorithm" for Sun Secure Shell (ssh) (Doc ID 1223914.1)

Last updated on APRIL 11, 2023

Applies to:

Solaris Operating System - Version 9 to 11.4 [Release 9.0 to 11.0]
Information in this document applies to any platform.


A security scanner reports a "potentially weak key exchange algorithm".

The particular scanner report reads as follows:


The target Secure Shell 2 (SSH2) server supports a potentially weak key
exchange algorithm.


The Secure Shell 2 (SSH2) protocol is a presentation layer protocol used to
provide secure client-server communication. The SSH2 protocol specification
requires that a SSH2 server support the diffie-hellman-group1-sha1 key exchange
algorithm. This key exchange algorithm is considered strong, but faces a
potential weakness in that the same prime number is used for all key exchanges.
An alternative key exchange algorithm, diffie-hellman-exchange-group-sha1,
provides enhanced security by allowing for the prime number to be specified
during key exchange.


The server should be configured not to support the diffie-hellman-group1-sha1
algorithm if possible. Consult your vendor's documentation.


The ER (Enhanement Request) that provides this support in Oracle Solaris is:

from Patch ID: 117177-02 - in Solaris 9. 

SunSSH in Solaris 10 and 11 already have support for the diffie-hellman-exchange-group-sha1 algorithm so no patch is required on these hosts.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.