Showing results for 
Search instead for 
Did you mean: 
Create Post

Serv-U / diffie-hellman-group-exchange-sha256

Has anyone been able to get Serv-U to work when the client is requiring key exchange diffie-hellman-group-exchange-sha256?  We're running Serv-U 15.1.6, but it's not working because I don't think this version supports key exchange diffie-hellman-group-exchange-sha256.  Thanks.

12 Replies
Level 10

@ivodlouhyCould you let us know if this has been fixed/support added in v15.2? Thanks!

0 Kudos

SSH KEX algorithm diffie-hellman-group-exchange-sha256 implementation was not part of Serv-U 15.2 scope but in backlog for next release we work on now.

Ok @ivodlouhy we really hoped it would be in 15.2 but we will wait for the update. One reason it is important is that the SFTP connector on Microsoft Azure requires it and many people use that now and for this reason it is not compatible with Serv-U by default at present.

0 Kudos
Level 9

I don't think you will find that it is supported.  We pushed Solarwinds to get some SHA2 stuff added to 15.1.6.  If you tighten up your available SSH security you can only really get as far as this;

Encryption Algorithms


AES with 256-bit key in CTR mode


AES with 256-bit key in CBC mode

CBC mode is not perfect, but still not "unsafe".

AES with 256-bit key in CBC mode

CBC mode is not perfect, but still not "unsafe".

AES with 256-bit key in CBC mode

CBC mode is not perfect, but still not "unsafe".

MAC Algorithms


Hash-based MAC using SHA-256


Hash-based MAC using SHA-512


Hash-based MAC using SHA-256 truncated to 96 bits

Tag size should be at least 128 bits; SHA2-256-96 truncates to 96 bits.

Key Exchange Algorithms

ecdh-sha2-nistp256Elliptic Curve Diffie-Hellman on NIST P-256 curve with SHA-256 hash Possible NSA backdoor​.Secure

ecdh-sha2-nistp384Elliptic Curve Diffie-Hellman on NIST P-384 curve with SHA-384 hash Possible NSA backdoor​.Secure

ecdh-sha2-nistp521Elliptic Curve Diffie-Hellman on NIST P-521 curve with SHA-512 hash Possible NSA backdoor​.Secure

diffie-hellman-group14-sha1 Diffie-Hellman with 2048-bit Oakley Group 14 with SHA-1 hash Oakley Group 14 should be secure for now. SHA-1 is becoming obsolete, consider using SHA-256 version.Weak

gnoonan​ thats a nice report, how did you get that?

ivodlouhybshopp​ Any news on this? It seems had there is only 1 key exchange that is now considered 'secure' but it is obselete. When will you implement diffie-hellman-group-exchange-sha256?

0 Kudos

It is in our roadmap to include more supported SSH key exchange algorithms in Serv-U. Currently we support following






@ivodlouhyGreat, did these get added in v15.2 from the roadmap?

0 Kudos

@ivodlouhyAny news on this? More users asking for support for modern ciphers as services like Azure SFTP do not support Diffie-Hellman Group 1 SHA1 by default, so they cannot connect to Serv-U.

0 Kudos

Some very interesting information!

Could you add that to the roadmap post?: What We're Working On - Serv-U FTP Server, Serv-U MFT Server & FTP Voyager - Updated June 26, 20...

0 Kudos

Any news on this ivodlouhybshopp​?

Have you found any solution gnoonanfluffy midnight​?

0 Kudos

Hi calc2014​,

I can confirm that versions prior to and equal to 15.1.7 do not have this feature. (15.1.7 simply comprised of fixes, and hotfixes of previous versions.

If you're having the same issue, contact support and see if they have any recommendations.


0 Kudos

Hi brandonrivera01​,

I'm currently on Serv-U 15.1.5 which uses diffie-hellman-group1-sha1 and/or diffie-hellman-group14-sha1.

I suspect 15.1.6 is still the same, I'd recommend contacting support to see if they have a workaround or recommendation.