Page 1 of 1

enable the insecure AES CBC ciphers

Posted: Wed Apr 08, 2015 7:00 pm
by donj91711
I am running SmartFTP Library and got the "Key exchange failed" error. 
 
2015-04-08T11:38:17 SmartFTP FTP Library 4.0.456.0
2015-04-08T11:38:26 Resolving host name "<ftp host>"
2015-04-08T11:38:26 Connecting to <ip address> Port: 22
2015-04-08T11:38:26 Connected to <ftp host>.
2015-04-08T11:38:26 SSH protocol version reply. Client Id: SSH-2.0-SmartFTP
2015-04-08T11:38:26 SSH-2.0-JSCAPE
2015-04-08T11:38:26 Starting SSH session. Remote Id: "SSH-2.0-JSCAPE"
2015-04-08T11:38:26 Server Algorithm Suite
Key Exchange: diffie-hellman-group1-sha1
Server Host Key: ssh-rsa
Client to Server Encryption: blowfish-cbc,3des-cbc
Server to Client Encryption: blowfish-cbc,3des-cbc
Client to Server HMAC: hmac-sha1,hmac-md5
Server to Client HMAC: hmac-sha1,hmac-md5
Client to Server Compression: none
Server to Client Compression: none
2015-04-08T11:38:26 Key exchange failed.
2015-04-08T11:38:26 Client closed the connection.
 
This problem was solved in the following post:
www.smartftp.com/forums/index.php?/topi ... iled/</div>
 
The solution was to: Manually enable the insecure AES CBC ciphers in the SSH dialog in the favorite properties
 
I believe that solution was for SmartFTP client. How can I enable the ciphers in the SmartFTP library code?
 
 

Re: enable the insecure AES CBC ciphers

Posted: Wed Apr 08, 2015 7:36 pm
by mb
The AES CBC ciphers have been enabled again by default in the FTP Library.
 
Can you reproduce the problem with SmartFTP Client?

Re: enable the insecure AES CBC ciphers

Posted: Tue Apr 14, 2015 9:52 pm
by donj91711
I don't own a copy of the SmartFTP client (my 30 day trial expired), but I did try several other things.
1) FileZilla connects OK.
2) An older version of SmartFTP library connect OK. Here is the log:
 
[20150414 21:44:21] SmartFTP FTP Library 2.0.86.0
[20150414 21:44:21] Resolving host name "<ftp host>"
[20150414 21:44:21] Connecting to <ftp ip> Port: 22
[20150414 21:44:21] SSH-2.0-JSCAPE
[20150414 21:44:21] Starting SSH session. Remote Id: "SSH-2.0-JSCAPE"
[20150414 21:44:21] SSH protocol version reply. Client Id: "SSH-2.0-SmartFTP"
[20150414 21:44:22] Key Exchange Algorithm: diffie-hellman-group1-sha1
[20150414 21:44:22] Key exchange completed.
[20150414 21:44:22] Host Key Algorithm: ssh-rsa
[20150414 21:44:22] Client to Server Encryption: 3des-cbc
[20150414 21:44:22] Server to Client Encryption: 3des-cbc
[20150414 21:44:22] Session MAC: hmac-sha1
[20150414 21:44:22] Client to Server Compression: none
[20150414 21:44:22] Server to Client Compression: none
[20150414 21:44:22] Requesting service "ssh-userauth".
[20150414 21:44:22] RTT: 28.611 ms
[20150414 21:44:22] Authentication request. Method: "none"
[20150414 21:44:22] Server supported authentications: password,publickey
[20150414 21:44:22] Authentication request. Method: "password"
[20150414 21:44:22] User authentication successful.
[20150414 21:44:22] SSH session established.
[20150414 21:44:22] Connected to sftp2.mcmcg.com.
[20150414 21:44:22] Detected Server Software: JSCAPE Secure FTP Server
[20150414 21:44:22] Opening channel 0.
[20150414 21:44:22] Channel successfully opened (Local=0, Remote=0).
 
Does this shed any light on why the new FTP library cannot connect?
 

Re: enable the insecure AES CBC ciphers

Posted: Wed Apr 15, 2015 11:15 pm
by donj91711
Still waiting for any suggestions on this. It continues to work great with the older version of SmartFTP library, but I have to start running it on a new computer as Windows XP has been deprecated. The new OS requires the newer version of SmartFTP library, which I purchased just for this purpose and it won't work.

Re: enable the insecure AES CBC ciphers

Posted: Thu Apr 16, 2015 7:51 am
by mb
Please try the previous suggestion. Then report back with the results. For further assistance please contact us by email.

Re: enable the insecure AES CBC ciphers

Posted: Tue May 05, 2015 11:20 pm
by donj91711
I purchased a copy of SmartFTP client so that I could try your suggestion. Here is the log when I try to connect:
 
[15:42:55] SmartFTP 6.0.2136.0
[15:42:55] 1>Resolving host name "<ftp client>.com"
[15:42:55] 1>Connecting to <ftp IP> Port: 22
[15:42:55] 1>Connected to <ftp client>.com.
[15:42:55] 1>SSH protocol version reply. Client Id: SSH-2.0-SmartFTP
[15:42:55] 1>SSH-2.0-JSCAPE
[15:42:55] 1>Starting SSH session. Remote Id: "SSH-2.0-JSCAPE"
[15:42:56] 1>Server Algorithm Suite
             Key Exchange: diffie-hellman-group1-sha1
             Server Host Key: ssh-rsa
             Client to Server Encryption: blowfish-cbc,3des-cbc
             Server to Client Encryption: blowfish-cbc,3des-cbc
             Client to Server HMAC: hmac-sha1,hmac-md5
             Server to Client HMAC: hmac-sha1,hmac-md5
             Client to Server Compression: none
             Server to Client Compression: none
[15:42:56] 1>Key exchange failed.
[15:42:56] 1>Client closed the connection.
 
Filezilla connects fine with the same credentials, and the old version of SmartFTP library works on an XP machine.
I need to get this running on a Windows 7 machine.
 
Any thoughts on what my next step is?

Re: enable the insecure AES CBC ciphers

Posted: Wed May 06, 2015 1:52 pm
by mb
In SmartFTP:
- Go to the Tools - Favorite Properties
- Go to the SSH - Advanced dialog
- Set the Encryption option to Use favorite settings
- Check 3DES
- Click OK
- Restart SmartFTP
 
For the problem with the FTP Library:
Install the latest version https://www.smartftp.com/ftplib/download
It comes with 3DES pre-enabled

Re: enable the insecure AES CBC ciphers

Posted: Wed May 06, 2015 9:14 pm
by donj91711
Thank you. This solution works.