3 Replies Latest reply on Sep 11, 2019 9:25 AM by calc2014

    Serv-U /  diffie-hellman-group-exchange-sha256

    brandonrivera01

      Has anyone been able to get Serv-U to work when the client is requiring key exchange diffie-hellman-group-exchange-sha256?  We're running Serv-U 15.1.6, but it's not working because I don't think this version supports key exchange diffie-hellman-group-exchange-sha256.  Thanks.

        • Re: Serv-U /  diffie-hellman-group-exchange-sha256
          fluffy midnight

          Hi brandonrivera01,

           

          I'm currently on Serv-U 15.1.5 which uses diffie-hellman-group1-sha1 and/or diffie-hellman-group14-sha1.

           

          I suspect 15.1.6 is still the same, I'd recommend contacting support to see if they have a workaround or recommendation.

           

          -Midnight

          • Re: Serv-U /  diffie-hellman-group-exchange-sha256
            gnoonan

            I don't think you will find that it is supported.  We pushed Solarwinds to get some SHA2 stuff added to 15.1.6.  If you tighten up your available SSH security you can only really get as far as this;

             

            Encryption Algorithms

            aes256-ctr

            AES with 256-bit key in CTR mode

            Secure
            aes256-cbc

            AES with 256-bit key in CBC mode

            CBC mode is not perfect, but still not "unsafe".
            Secure
            rijndael256-cbc

            AES with 256-bit key in CBC mode

            CBC mode is not perfect, but still not "unsafe".
            Secure
            rijndael-cbc@lysator.liu.se

            AES with 256-bit key in CBC mode

            CBC mode is not perfect, but still not "unsafe".
            Secure

            MAC Algorithms

            hmac-sha2-512-96Unknown
            hmac-sha2-256

            Hash-based MAC using SHA-256

            Secure
            hmac-sha2-512

            Hash-based MAC using SHA-512

            Secure
            hmac-sha2-256-96

            Hash-based MAC using SHA-256 truncated to 96 bits

            Tag size should be at least 128 bits; SHA2-256-96 truncates to 96 bits.
            Weak

            Key Exchange Algorithms

            ecdh-sha2-nistp256Elliptic Curve Diffie-Hellman on NIST P-256 curve with SHA-256 hash Possible NSA backdoor.Secure

            ecdh-sha2-nistp384Elliptic Curve Diffie-Hellman on NIST P-384 curve with SHA-384 hash Possible NSA backdoor.Secure

            ecdh-sha2-nistp521Elliptic Curve Diffie-Hellman on NIST P-521 curve with SHA-512 hash Possible NSA backdoor.Secure

            diffie-hellman-group14-sha1 Diffie-Hellman with 2048-bit Oakley Group 14 with SHA-1 hash Oakley Group 14 should be secure for now. SHA-1 is becoming obsolete, consider using SHA-256 version.Weak