Subject: Re: LIBSSH2_ERROR_KEX_FAILURE

Re: LIBSSH2_ERROR_KEX_FAILURE

From: William Shipley <william_at_schuylerhouse.com>
Date: Fri, 29 Mar 2019 15:20:21 -0700

I guess my question is “what is the crypto backend that will give my client the best chance of being able to connect to any unknown SFTP server”. Finding my way here, I initially built with WinCNG since my application also supports Schannel TLS connections using windows cryptography so I figured I already had the library loaded. And most people should be able to connect to Windows stuff. So much for that.

Browsing various documents I get the impression that mbedtls would be a good choice, but I want to be in the “mainstream” of libssh2 users.

It would be nice to have a “for the beginner.doc” but that’s one of the hardest things on any software package – documentation that doesn’t assume you know much about it.

William Shipley

From: Daniel Jeliński
Sent: Tuesday, March 26, 2019 1:09 AM
To: libssh2 development
Subject: Re: LIBSSH2_ERROR_KEX_FAILURE

Hi,
All ciphers provided by your client are insecure: RC4 is insecure, CBC mode of operation is insecure, client does not provide anything else.

GCM is not supported by libssh2. CTR is not supported by wincng, though I think I saw some code to emulate it on top of ECB, wonder why it didn't work for you. I can't comment on chacha, but it may also be unimplemented in libssh2.
Regards,
Daniel

wt., 26 mar 2019 o 00:34 William Shipley <william_at_schuylerhouse.com> napisał(a):

  I've built libssh2 with wincng and have been testing with the CrushFTP
  server. All has been working smoothly. In trying to install my software at a
  client site, they are attempting to use AWS SFTP service. When performing
  the libssh2_session_handshake I am failing with a KEX error.

  A log from the server indicates:

  Mar 25 13:58:14 pathlabsrv sshd[4988]: fatal: no matching cipher found:
  client
  aes256-cbc,rijndael-cbc_at_lysator.liu.se,aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc
  server
  aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm_at_openssh.com,aes256-gcm_at_openssh.com,chacha20-poly1305_at_openssh.com
  [preauth]

  And, indeed, we do not have a matching cipher. I would have expected Windows
  cryptography to be generally 'vanilla' and I would have expected Amazon to
  support pretty much anything. From my limited experience they seem to have
  used Open SSH.

  Has anyone encountered this? Can anyone give me guidance?

  Wm

  -----Original Message-----
  From: Daniel Stenberg
  Sent: Monday, March 25, 2019 12:37 PM
  To: libssh2 development
  Subject: RELEASE: libssh2 1.8.2

  Hi!

  I'm happy to announce a small update to the previous release as we managed
  to
  get a little hiccup included. Here's 1.8.2!

  Get it from https://www.libssh2.org/ as always!

  libssh2 1.8.2

  This release includes the following bugfixes:

    o Fixed the misapplied userauth patch that broke 1.8.1
    o moved the MAX size declarations from the public header

  This release would not have looked like this without help, code, reports and
  advice from friends like these:

     Will Cosgrove
     (1 contributors)

  --

    / daniel.haxx.se
  _______________________________________________
  libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

  _______________________________________________
  libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

--------------------------------------------------------------------------------
_______________________________________________
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

_______________________________________________
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2019-03-29