cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Highlighted

Serv-U / diffie-hellman-group-exchange-sha256

Has anyone been able to get Serv-U to work when the client is requiring key exchange diffie-hellman-group-exchange-sha256?  We're running Serv-U 15.1.6, but it's not working because I don't think this version supports key exchange diffie-hellman-group-exchange-sha256.  Thanks.

0 Kudos
8 Replies
Highlighted

Re: Serv-U / diffie-hellman-group-exchange-sha256

Hi brandonrivera01​,

I'm currently on Serv-U 15.1.5 which uses diffie-hellman-group1-sha1 and/or diffie-hellman-group14-sha1.

I suspect 15.1.6 is still the same, I'd recommend contacting support to see if they have a workaround or recommendation.

-Midnight

0 Kudos
Highlighted
Level 9

Re: Serv-U / diffie-hellman-group-exchange-sha256

I don't think you will find that it is supported.  We pushed Solarwinds to get some SHA2 stuff added to 15.1.6.  If you tighten up your available SSH security you can only really get as far as this;

Encryption Algorithms

aes256-ctr

AES with 256-bit key in CTR mode

Secure
aes256-cbc

AES with 256-bit key in CBC mode

CBC mode is not perfect, but still not "unsafe".
Secure
rijndael256-cbc

AES with 256-bit key in CBC mode

CBC mode is not perfect, but still not "unsafe".
Secure
rijndael-cbc@lysator.liu.se

AES with 256-bit key in CBC mode

CBC mode is not perfect, but still not "unsafe".
Secure

MAC Algorithms

hmac-sha2-512-96Unknown
hmac-sha2-256

Hash-based MAC using SHA-256

Secure
hmac-sha2-512

Hash-based MAC using SHA-512

Secure
hmac-sha2-256-96

Hash-based MAC using SHA-256 truncated to 96 bits

Tag size should be at least 128 bits; SHA2-256-96 truncates to 96 bits.
Weak

Key Exchange Algorithms

ecdh-sha2-nistp256Elliptic Curve Diffie-Hellman on NIST P-256 curve with SHA-256 hash Possible NSA backdoor​.Secure

ecdh-sha2-nistp384Elliptic Curve Diffie-Hellman on NIST P-384 curve with SHA-384 hash Possible NSA backdoor​.Secure

ecdh-sha2-nistp521Elliptic Curve Diffie-Hellman on NIST P-521 curve with SHA-512 hash Possible NSA backdoor​.Secure

diffie-hellman-group14-sha1 Diffie-Hellman with 2048-bit Oakley Group 14 with SHA-1 hash Oakley Group 14 should be secure for now. SHA-1 is becoming obsolete, consider using SHA-256 version.Weak

0 Kudos
Highlighted
Level 10

Re: Serv-U / diffie-hellman-group-exchange-sha256

gnoonan​ thats a nice report, how did you get that?

ivodlouhybshopp​ Any news on this? It seems had there is only 1 key exchange that is now considered 'secure' but it is obselete. When will you implement diffie-hellman-group-exchange-sha256?

0 Kudos
Highlighted
Level 10

Re: Serv-U / diffie-hellman-group-exchange-sha256

Any news on this ivodlouhybshopp​?

Have you found any solution gnoonanfluffy midnight​?

0 Kudos
Highlighted

Re: Serv-U / diffie-hellman-group-exchange-sha256

Hi calc2014​,

I can confirm that versions prior to and equal to 15.1.7 do not have this feature. (15.1.7 simply comprised of fixes, and hotfixes of previous versions.

If you're having the same issue, contact support and see if they have any recommendations.

-Midnight

0 Kudos
Highlighted
Product Manager
Product Manager

Re: Serv-U / diffie-hellman-group-exchange-sha256

It is in our roadmap to include more supported SSH key exchange algorithms in Serv-U. Currently we support following

DH-GROUP1-SHA1

DH-GROUP14-SHA1

ECHD-SHA2-NISTP256

ECHD-SHA2-NISTP384

ECHD-SHA2-NISTP521

Highlighted

Re: Serv-U / diffie-hellman-group-exchange-sha256

Some very interesting information!

Could you add that to the roadmap post?: What We're Working On - Serv-U FTP Server, Serv-U MFT Server & FTP Voyager - Updated June 26, 20...

0 Kudos
Highlighted
Level 10

Re: Serv-U / diffie-hellman-group-exchange-sha256

@ivodlouhyAny news on this? More users asking for support for modern ciphers as services like Azure SFTP do not support Diffie-Hellman Group 1 SHA1 by default, so they cannot connect to Serv-U.

0 Kudos