Skip to content

x/crypto: Feature Request: Expose Negotiated Cipher #73679

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
fdefilippo opened this issue May 12, 2025 · 1 comment
Closed

x/crypto: Feature Request: Expose Negotiated Cipher #73679

fdefilippo opened this issue May 12, 2025 · 1 comment
Labels
LibraryProposal Issues describing a requested change to the Go standard library or x/ libraries, but not to a tool
Milestone
Unreleased

Comments

@fdefilippo
Copy link

Feature Request: Expose Negotiated Cipher

What is the issue?

The golang.org/x/crypto/ssh package currently does not provide a way via its public API to determine which specific symmetric cipher algorithm was successfully negotiated and is being used for an established ssh.Conn (or *ssh.Client).

Why is this needed?

Access to the negotiated cipher string would be valuable for several use cases:

  1. Debugging and Diagnostics: When troubleshooting connection issues or verifying server configurations, knowing the exact cipher selected during the handshake provides crucial context that is currently only available in low-level debug logs (if enabled) or server-side logs.
  2. Security and Compliance Logging: For applications requiring stringent security auditing or compliance, logging the specific cryptographic algorithms used for each connection (including the cipher) is often a requirement.
  3. Transparency: Providing visibility into the security parameters of the established connection makes the library easier to use and understand for security-conscious developers.

Proposed change:

Add a method to the ssh.Conn interface (and its implementations) that returns the names of the negotiated symmetric cipher algorithms used for the client-to-server and server-to-client directions.

A possible method signature could be:

type Conn interface {
    // ... existing methods ...

    // NegotiatedCipher returns the names of the negotiated cipher algorithms.
    // The clientToServer string is the algorithm used for messages from the client to the server.
    // The serverToClient string is the algorithm used for messages from the server to the client.
    // If no cipher was negotiated (e.g., connection failed before this step), it may return empty strings.
    NegotiatedCipher() (clientToServer string, serverToClient string)
}

Alternatively, this information could potentially be added to a connection statistics or info struct if that is more in line with the library's design philosophy.

Current state:

The negotiated cipher is determined internally by the library during the ssh.Dial or ssh.NewClient handshake based on the client's ssh.ClientConfig.Ciphers list and the server's supported ciphers. However, this specific piece of information is not exposed via any public getter method on the resulting *ssh.Client or ssh.Conn object.
@gopherbot gopherbot added this to the Unreleased milestone May 12, 2025
@gabyhelp
Copy link

Related Issues

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@gabyhelp gabyhelp added the LibraryProposal Issues describing a requested change to the Go standard library or x/ libraries, but not to a tool label May 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
LibraryProposal Issues describing a requested change to the Go standard library or x/ libraries, but not to a tool
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
4 participants
@gopherbot @seankhliao @fdefilippo @gabyhelp