VanDyke Software Forums

VanDyke Software Forums (https://forums.vandyke.com/index.php)
-   Secure Shell (https://forums.vandyke.com/forumdisplay.php?f=15)
-   -   3rd party changed key change algorithm, we don't seem to have them available (https://forums.vandyke.com/showthread.php?t=13427)

dverbern 03-03-2019 06:52 PM

3rd party changed key change algorithm, we don't seem to have them available
 
First time here.
We are licensed for and using VShell Enterprise Server with FTPS.

A vendor recently advised it was changing security, dropping support for some algorithms and adding some new ones.

We are now seeing the file transfer fail with error:

"Key exchange failed. No compatible key exchange method. The server supports these methods: diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256"

In our version 4.0.4 (x64 build 636) of VShell, under Key Exchange, we have some algorithms checked:

"diffie-hellman-group14", "diffie-hellman" and "diffie-hellman-group"

Note the vendor ones are stated in error above are not listed. Under "Cipher/MAC", within "MAC", there are a couple of MACs not yet checked such as "SHA2-512" or "SHA2-256". I don't know enough about security to know how these concepts work together.

If anyone is able to advise how we might be able to make "diffie-hellman-group16-sha512" and/or "diffie-hellman-group14-sha256" OR "diffie-hellman-group-exchange-sha256" available within our VShell, that would be welcome.

jdev 03-04-2019 11:21 AM

1 Attachment(s)
Quote:

Originally Posted by dverbern (Post 51039)
"Key exchange failed. No compatible key exchange method. The server supports these methods: diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256"
<snip>
Note the vendor ones are stated in error above are not listed.

This is because you're using a version of VShell that does not implement support for any of the newer key exchange algorithms required by the client.

Support for the diffie-hellman-group-exchange-sha256 key exchange algorithm was first implemented in VShell version 4.1.

You're using VShell version 4.0, so this algorithm is not present in the SSH2 > Key Exchange category of the VShell control panel.

You also made reference to ciphers...
Quote:

Under "Cipher/MAC", within "MAC", there are a couple of MACs not yet checked such as "SHA2-512" or "SHA2-256". I don't know enough about security to know how these concepts work together.
Ciphers and MACs are components of the key exchange process for SSH2 connections, but the key exchange algorithm itself is at play here, not the Ciphers/MACs.

As I mentioned earlier, the reason why this connection is failing is that the client connecting to VShell is requiring algorithms that your older 4.0 version of VShell did not implement.

If you upgrade your VShell installation to a newer version that supports the diffie-hellman-group-exchange-sha256 key exchange method, this specific client will be able to get past that specific obstacle currently preventing successful connection.
https://forums.vandyke.com/attachmen...chmentid=1660\
--Jake


All times are GMT -6. The time now is 05:51 AM.