[Development] Gerrit "no matching cipher found"

Discussion:

Tomasz Siekierda

2018-10-10 17:43:32 UTC

Hi,

it's been a while since I've last pushed to gerrit. I'm getting this:

$ git push gerrit HEAD:refs/for/dev
Unable to negotiate with 54.229.21.112 port 29418: no matching cipher
found. Their offer: aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I'm on Kubuntu 18.10. I've made sure the ssh pub key on gerrit is
correct. And I've used init-repository script to get going.

Does anybody know how to fix this? Most probably it's something stupid/ trivial.

Cheerio,
sierdzio

Konstantin Shegunov

2018-10-10 17:51:54 UTC

Permalink

On Wed, Oct 10, 2018 at 8:43 PM Tomasz Siekierda <***@gmail.com> wrote:

> Hi,
> I'm on Kubuntu 18.10. I've made sure the ssh pub key on gerrit is
> correct. And I've used init-repository script to get going.
>

Hi,
Ran into this a few months ago. Force the cipher through the ssh config and
you should get it going.
Sample follows:
Host codereview.qt-project.org
Port 29418
User <whateveryouruseris>
Ciphers aes256-cbc
PreferredAuthentications publickey
IdentityFile <privatekeyfile>

Kind regards.

Thiago Macieira

2018-10-10 19:42:49 UTC

Permalink

On Wednesday, 10 October 2018 10:43:32 PDT Tomasz Siekierda wrote:
> I'm on Kubuntu 18.10. I've made sure the ssh pub key on gerrit is
> correct. And I've used init-repository script to get going.
>
> Does anybody know how to fix this? Most probably it's something stupid/
> trivial.

Most Linux distributions or possibly OpenSSH upstream have begun disabling
older ciphers by default. Our Gerrit server uses an old version of JGit, which
uses old ciphers. You need to turn something back on. See Konstantin's reply
for a suggestion on which one.

--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel Open Source Technology Center

Tomasz Siekierda

2018-10-11 06:08:54 UTC

Permalink

Perfect, that worked! Thanks, Konstantin!

And thanks Thiago for explanation, too.

On Wed, 10 Oct 2018 at 21:43, Thiago Macieira <***@intel.com> wrote:
>
> On Wednesday, 10 October 2018 10:43:32 PDT Tomasz Siekierda wrote:
> > I'm on Kubuntu 18.10. I've made sure the ssh pub key on gerrit is
> > correct. And I've used init-repository script to get going.
> >
> > Does anybody know how to fix this? Most probably it's something stupid/
> > trivial.
>
> Most Linux distributions or possibly OpenSSH upstream have begun disabling
> older ciphers by default. Our Gerrit server uses an old version of JGit, which
> uses old ciphers. You need to turn something back on. See Konstantin's reply
> for a suggestion on which one.
>
> --
> Thiago Macieira - thiago.macieira (AT) intel.com
> Software Architect - Intel Open Source Technology Center
>
>
>
> _______________________________________________
> Development mailing list
> ***@qt-project.org
> http://lists.qt-project.org/mailman/listinfo/development

Lisandro Damián Nicanor Pérez Meyer

2018-10-11 10:23:40 UTC

Permalink

El miÃ©., 10 de oct. de 2018 16:43, Thiago Macieira <
***@intel.com> escribiÃ³:

> On Wednesday, 10 October 2018 10:43:32 PDT Tomasz Siekierda wrote:
> > I'm on Kubuntu 18.10. I've made sure the ssh pub key on gerrit is
> > correct. And I've used init-repository script to get going.
> >
> > Does anybody know how to fix this? Most probably it's something stupid/
> > trivial.
>
> Most Linux distributions or possibly OpenSSH upstream have begun disabling
> older ciphers by default.

The later as I understand.

Our Gerrit server uses an old version of JGit, which
> uses old ciphers. You need to turn something back on. See Konstantin's
> reply
> for a suggestion on which one.

Is there a chance to fix this?

Edward Welbourne

2018-10-11 10:33:38 UTC

Permalink

El mié., 10 de oct. de 2018 16:43, Thiago Macieira <***@intel.com<mailto:***@intel.com>> escribió:
> Our Gerrit server uses an old version of JGit, which uses old
> ciphers. You need to turn something back on. See Konstantin's reply
> for a suggestion on which one.

Lisandro Damián Nicanor Pérez Meyer (11 October 2018 12:23)
> Is there a chance to fix this?

I imagine the upgrade to Gerrit should do so.
That upgrade is in progress, but may take some time.

Eddy.