This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Serv-U / diffie-hellman-group-exchange-sha256

brandonrivera01 over 5 years ago

Has anyone been able to get Serv-U to work when the client is requiring key exchange diffie-hellman-group-exchange-sha256? We're running Serv-U 15.1.6, but it's not working because I don't think this version supports key exchange diffie-hellman-group-exchange-sha256. Thanks.

Top Replies

0 fluffy_midnight over 5 years ago

Hi brandonrivera01,
I'm currently on Serv-U 15.1.5 which uses diffie-hellman-group1-sha1 and/or diffie-hellman-group14-sha1.
I suspect 15.1.6 is still the same, I'd recommend contacting support to see if they have a workaround or recommendation.
-Midnight
Cancel
Vote Up +1 Vote Down

Cancel

0 gnoonan over 5 years ago

I don't think you will find that it is supported. We pushed Solarwinds to get some SHA2 stuff added to 15.1.6. If you tighten up your available SSH security you can only really get as far as this;

Encryption Algorithms

`aes256-ctr`	AES with 256-bit key in CTR mode	Secure
`aes256-cbc`	AES with 256-bit key in CBC mode CBC mode is not perfect, but still not "unsafe".	Secure
`rijndael256-cbc`	AES with 256-bit key in CBC mode CBC mode is not perfect, but still not "unsafe".	Secure
`rijndael-cbc@lysator.liu.se`	AES with 256-bit key in CBC mode CBC mode is not perfect, but still not "unsafe".	Secure

MAC Algorithms

`hmac-sha2-512-96`		Unknown
`hmac-sha2-256`	Hash-based MAC using SHA-256	Secure
`hmac-sha2-512`	Hash-based MAC using SHA-512	Secure
`hmac-sha2-256-96`	Hash-based MAC using SHA-256 truncated to 96 bits Tag size should be at least 128 bits; SHA2-256-96 truncates to 96 bits.	Weak

Key Exchange Algorithms

ecdh-sha2-nistp256Elliptic Curve Diffie-Hellman on NIST P-256 curve with SHA-256 hash Possible NSA backdoor.Secure

ecdh-sha2-nistp384Elliptic Curve Diffie-Hellman on NIST P-384 curve with SHA-384 hash Possible NSA backdoor.Secure

ecdh-sha2-nistp521Elliptic Curve Diffie-Hellman on NIST P-521 curve with SHA-512 hash Possible NSA backdoor.Secure

diffie-hellman-group14-sha1 Diffie-Hellman with 2048-bit Oakley Group 14 with SHA-1 hash Oakley Group 14 should be secure for now. SHA-1 is becoming obsolete, consider using SHA-256 version.Weak

0 calc2014 over 4 years ago in reply to gnoonan

gnoonan thats a nice report, how did you get that?
ivodlouhy bshopp Any news on this? It seems had there is only 1 key exchange that is now considered 'secure' but it is obselete. When will you implement diffie-hellman-group-exchange-sha256?
Cancel
Vote Up 0 Vote Down

Cancel
0 calc2014 over 4 years ago in reply to calc2014

Any news on this ivodlouhy bshopp?
Have you found any solution gnoonan fluffy midnight?
Cancel
Vote Up 0 Vote Down

Cancel
0 ivodlouhy over 4 years ago in reply to calc2014

It is in our roadmap to include more supported SSH key exchange algorithms in Serv-U. Currently we support following
DH-GROUP1-SHA1
DH-GROUP14-SHA1
ECHD-SHA2-NISTP256
ECHD-SHA2-NISTP384
ECHD-SHA2-NISTP521
Cancel
Vote Up +7 Vote Down

Cancel
0 fluffy_midnight over 4 years ago in reply to calc2014

Hi calc2014,
I can confirm that versions prior to and equal to 15.1.7 do not have this feature. (15.1.7 simply comprised of fixes, and hotfixes of previous versions.
If you're having the same issue, contact support and see if they have any recommendations.
-Midnight
Cancel
Vote Up 0 Vote Down

Cancel
0 fluffy_midnight over 4 years ago in reply to ivodlouhy

Some very interesting information!
Could you add that to the roadmap post?: What We're Working On - Serv-U FTP Server, Serv-U MFT Server & FTP Voyager - Updated June 26, 2019
Cancel
Vote Up 0 Vote Down

Cancel
0 calc2014 over 4 years ago in reply to ivodlouhy

ivodlouhyAny news on this? More users asking for support for modern ciphers as services like Azure SFTP do not support Diffie-Hellman Group 1 SHA1 by default, so they cannot connect to Serv-U.
Cancel
Vote Up 0 Vote Down

Cancel
0 calc2014 over 3 years ago

ivodlouhyCould you let us know if this has been fixed/support added in v15.2? Thanks!
Cancel
Vote Up 0 Vote Down

Cancel
0 calc2014 over 3 years ago in reply to ivodlouhy

ivodlouhyGreat, did these get added in v15.2 from the roadmap?
Cancel
Vote Up 0 Vote Down

Cancel