Short summary: libssh2.dll in the official Windows binaries is out of date with respect to available ciphers and needs upgrade in order for Pkg to keep working with packages on private git servers using ssh protocol, if it hasn’t already stopped working.
When trying to add packages from private git servers (such as gitlab or bitbucket) using ssh URL:s, Pkg needs to talk to the ssh server on the host, which it does via LibGit2 and in turn libssh2. In order for this communication to be successful, the client and server needs to agree on a number of things, including what kind of cipher to use. Since old ciphers become less safe over time and new ciphers are invented to replace them, ssh client and servers need to be sufficiently in sync.
This is becoming problematic with the official Julia binaries on Windows. The ssh connection initiated by Pkg.add() offers the following ciphers: aes256-cbc,email@example.com,aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc
None of those is considered safe enough to be accepted by a default configured Ubuntu 16.04 openssh server and at my work they are still accepted by the gitlab server (which is rather behind on updates) but not by the bitbucket server.
On Linux the situation is better. With a Julia 1.0 built from source, the list of ciphers is: aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,firstname.lastname@example.org,aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,3des-cbc
The first 3 of those overlap what my openssh server accepts (email@example.com,aes128-ctr,aes192-ctr,aes256-ctr,firstname.lastname@example.org,email@example.com) and are enough to talk to the bitbucket server.
Even though it may be possible to tweak the ssh configuration on private git servers that you have enough control over, it’s not always a viable option and this will only become worse over time, so the Windows libssh2 needs to become better.
As far as I can tell, the official Julia 1.0 Windows download ships with a libssh2.dll of version 1.7 whereas Linux built from source has version 1.8. I don’t know if this is enough to explain the difference in available ciphers or if it also depends on build options on Windows.
How is libssh2 built for the official Windows binaries today? What would it take to upgrade them enough to support the aesNNN-ctr ciphers?