#6 Exception text should hold security critical diagnosis info

open
nobody
5
2012-09-21
2012-09-21
Roman
No

When connection cannot be verified (one of the most security critical steps in SSH when protecting against MITM), information about this major event should be included in the exception. Currently just "verify: false" is returned, a problem which occurred for the first time some days ago, although software is running for years already.

Two explanations:
* Some network timing thing
* Every some days, one completely different connection shows that behavior at night time, as if someone is checking host by host if automated software is doing host/client verification right.

The message should contain something about the cause, e.g.
* TCP read timed out
* Could not negotiate parameter X
* Server key too long ...

I do not known, what is verfied at that point, but at least some indication should be given.

jsch-0.1.48/src/main/java/com/jcraft/jsch/Session.java

while(true){
buf=read(buf);
if(kex.getState()==buf.getCommand()){
kex_start_time=System.currentTimeMillis();
boolean result=kex.next(buf);
if(!result){
//System.err.println("verify: "+result);
in_kex=false;
throw new JSchException("verify: "+result);
}
}

Discussion