Devart Forums

Hi,

I am getting occasional errors like "no matching cipher found", "Invalid Key Exchange Algorithm" and "Invalid Hash Algorithm" however the usual causes for this do not seem to apply. Here is my configuration and setup on the SSH Server and in my ScSSHClient;

Sshd_config
…
Ciphers blowfish-cbc,aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-cbc,3des-cbc
HostKeyAlgorithms ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1

Ssh –vv localhost

debug2: KEX algorithms: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256
debug2: ciphers ctos: blowfish-cbc,aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-cbc,3des-cbc
debug2: ciphers stoc: blowfish-cbc,aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-cbc,3des-cbc
debug2: MACs ctos: hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: hmac-sha2-256,hmac-sha2-512,hmac-sha1

ScSSHClient

Client Ciphers blowfish-cbc,aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-cbc,3des-cbc
Server Ciphers blowfish-cbc,aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-cbc,3des-cbc
HMACAlgorithms hmac-sha1,hmac-sha2-256,hmac-sha2-512
HostKeyAlgorithms ssh-rsa
KeyExchangeAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

As you can see there are matching ciphers and algorithms on the server and client and yet sometimes, for reason I can fathom these errors occur.

Example;

Auth.log

Nov 21 16:48:30 DCDB1 sshd[18109]: fatal: Unable to negotiate with X.X.X.X port 64672: no matching cipher found. Their offer: ,aes256-ctr,aes256-cbc
,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-cbc,3des-cbc [preauth]


Notice that the cipher list is exactly the same with the exception that there is no blowfish-cdc listed at the beginning of the “Their offer” list.

My server: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g 1 Mar 2016


Can anyone shed some light on why this is happening?

Please specify whether you can connect to your SSH server using any third party tool. If yes, to investigate the specified SecureBridge behavior, please compose a small sample demonstrating the issue of test access to your server and send it to us via e-support form: https://www.devart.com/company/contactform.html

Hi Viktor,

Thank you. I wrote a small program to simply connect and disconnect every 5 seconds and ran it all day but no failures were logged. I only have logs to go by currently as I am yet to catch this happening as it happens but my last recorded failure was this;

Server Log

Nov 23 17:43:56 DCDB1 sshd[11488]: fatal: Unable to negotiate with XX.XX.XX.XX port 55815: no matching key exchange method found. Their offer: ,,,,,, [preauth]

Client Log

Exception class name = EScError Exception message = Invalid key exchange algorithm (,,,,,, <-> ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1)
Exception class name = EScError Exception message = Invalid compression algorithm

It looks like one side is not offering any kex algorithms?

These SSH connections are setup using a ScSSHClient, then a tunnel is established using a ScSSHChannel and finally a MySQL connection is made to transfer data using a TMyConnection.

The above failure had a success 29 seconds before;

Nov 23 17:43:27 DCDB1 sshd[11437]: Accepted password for abc from XX.XX.XX.XX port 55782 ssh2

and 1 second later;

Nov 23 17:43:57 DCDB1 sshd[11490]: Accepted password for abc from XX.XX.XX.XX port 55816 ssh2

I will send you a username you can test with to the support address above.

Unfortunately, we can not reproduce the problem based on the information you provided. You are the only user who contacted us with this kind of problem. To understand the cause of the problem, we need a example or a description of the steps and the environment in which the problem is reproduced stably. As soon as we get this example and if the cause of the problem is in the code of our product, we will try to fix it in the shortest possible time.