Archived Forum Post

Index of archived forum posts

Question:

Unexpected DISCONNECT on SFTP key exchange

Aug 16 '16 at 19:38

Hi.

The problem occurs while connecting to ebibkom.deutschepost.de Same issue with current version 9.5.0.58 Server works with FileZilla and cURL.

ChilkatLog:
  Connect_SFtp:
    DllDate: Apr 21 2014
    ChilkatVersion: 9.5.0.33
    Architecture: Little Endian; 32-bit
    Language: Visual C++ 10.0 (32-bit)
    VerboseLogging: 0
    SftpVersion: 0
    hostname: ebibkom.deutschepost.de
    port: 22
    Established TCP/IP connection with SSH server
    clientIdentifier: SSH-2.0-PuTTY_Local:_May_11_2009_17:22:38
    Sending client identifier...
    Done sending client identifier.
    Reading server version...
    initialDataFromSshServer: SSH-2.0-6.4.6.215 SSH Tectia Server

    serverVersion: SSH-2.0-6.4.6.215 SSH Tectia Server
    KeyExchangeAlgs:
      algorithm: diffie-hellman-group1-sha1
      algorithm: diffie-hellman-group14-sha1
      algorithm: diffie-hellman-group14-sha256@ssh.com
      algorithm: diffie-hellman-group-exchange-sha1
      algorithm: diffie-hellman-group-exchange-sha256
    --KeyExchangeAlgs
    HostKeyAlgs:
      algorithm: ssh-rsa
      algorithm: ssh-rsa-sha256@ssh.com
    --HostKeyAlgs
    EncCS:
      algorithm: aes128-ctr
      algorithm: aes192-ctr
      algorithm: aes256-ctr
      algorithm: aes128-cbc
      algorithm: aes192-cbc
      algorithm: aes256-cbc
      algorithm: 3des-cbc
      algorithm: crypticore128@ssh.com
    --EncCS
    EncSC:
      algorithm: aes128-ctr
      algorithm: aes192-ctr
      algorithm: aes256-ctr
      algorithm: aes128-cbc
      algorithm: aes192-cbc
      algorithm: aes256-cbc
      algorithm: 3des-cbc
      algorithm: crypticore128@ssh.com
    --EncSC
    MacCS:
      algorithm: hmac-sha1-96
      algorithm: hmac-sha256-2@ssh.com
      algorithm: hmac-sha224@ssh.com
      algorithm: hmac-sha256@ssh.com
      algorithm: hmac-sha384@ssh.com
      algorithm: hmac-sha512@ssh.com
      algorithm: crypticore-mac@ssh.com
    --MacCS
    MacSC:
      algorithm: hmac-sha1-96
      algorithm: hmac-sha256-2@ssh.com
      algorithm: hmac-sha224@ssh.com
      algorithm: hmac-sha256@ssh.com
      algorithm: hmac-sha384@ssh.com
      algorithm: hmac-sha512@ssh.com
      algorithm: crypticore-mac@ssh.com
    --MacSC
    CompCS:
      algorithm: none
      algorithm: zlib
    --CompCS
    CompSC:
      algorithm: none
      algorithm: zlib
    --CompSC
    Encryption: 256-bit AES CTR
    Encryption: 256-bit AES CTR
    Unable to agree upon server-to-client MAC algorithm.
    Unable to agree upon client-to-server MAC algorithm.
    Compression: zlib
    Compression: zlib
    Key Exchange: DH Group Exchange SHA256
    Host Key Algorithm: RSA
    numBits: 256
    pbits: 4096
    Using GEX Group.
    Sending KEX_DH_GEX_REQUEST...
    pbits: 4096
    Unexpected message received.  Expected KEX_DH_GEX_GROUP/KEXDH_REPLY.
    msgType: DISCONNECT
    Failed.
  --Connect_SFtp
--ChilkatLog

Accepted Answer

This new build should do it now. (Sorry for the long delay..)

32-bit Download: http://www.chilkatsoft.com/download/preRelease/chilkat-9.5.0-x86-vc10.zip
64-bit Download: http://www.chilkatsoft.com/download/preRelease/chilkat-9.5.0-x86_64-vc10.zip

Please let me know if there are any problems.


Answer

It's likely not the same error. Post the LastErrorText for v9.5.0.58. I suspect it is different.


Answer

Looks the same...

ChilkatLog:
  Connect_SFtp(109ms):
    DllDate: Jun 13 2016
    ChilkatVersion: 9.5.0.58
    Architecture: Little Endian; 32-bit
    Language: Visual C++ 10.0 (32-bit)
    VerboseLogging: 1
    SftpVersion: 0
    connectInner(109ms):
      hostname: ebibkom.deutschepost.de
      port: 22
      sshConnect(62ms):
        SOCKS4:
          socksHostname: prox
          socksPort: 1080
          socksUsername: 
        --SOCKS4
        dnsLookup(31ms):
          domain: ebibkom.deutschepost.de
          domainLookup_ipv4(31ms):
            domainLookupIpv4_win32(31ms):
              resolveHostname1(31ms):
                dnsCacheLookup: ebibkom.deutschepost.de
                Resolving domain name (IPV4)
                resolvedToIp: 149.239.221.118
              --resolveHostname1
            --domainLookupIpv4_win32
          --domainLookup_ipv4
        --dnsLookup
        connectSocket(15ms):
          domainOrIpAddress: prox
          port: 1080
          connectTimeoutMs: 30000
          connect_ipv6_or_ipv4(15ms):
            Multi-threaded domain to IP address resolution
            connecting to IPV4 address...
            ipAddress: 192.168.101.42
            createSocket:
              Setting SO_SNDBUF size
              sendBufSize: 262144
              Setting SO_RCVBUF size
              recvBufSize: 4194304
            --createSocket
            connect(15ms):
              Waiting for the connect to complete...
              myIP: 192.168.123.139
              myPort: 21569
              socket connect successful.
            --connect
          --connect_ipv6_or_ipv4
        --connectSocket
        Established TCP/IP connection with SSH server
        Turning on TCP_NODELAY.
      --sshConnect
      sshSetupConnection(47ms):
        clientIdentifier: SSH-2.0-PuTTY_Release_0.66
        Sending client identifier...
        Done sending client identifier.
        Reading server version...
        initialDataFromSshServer: SSH-2.0-6.4.6.215 SSH Tectia Server

        serverVersion: SSH-2.0-6.4.6.215 SSH Tectia Server
        build_kexInit:
          preferRsaHostKeyAlgorithm: 1
        --build_kexInit
        KeyExchangeAlgs:
          algorithm: diffie-hellman-group1-sha1
          algorithm: diffie-hellman-group14-sha1
          algorithm: diffie-hellman-group14-sha256@ssh.com
          algorithm: diffie-hellman-group-exchange-sha1
          algorithm: diffie-hellman-group-exchange-sha256
        --KeyExchangeAlgs
        HostKeyAlgs:
          algorithm: ssh-rsa
          algorithm: ssh-rsa-sha256@ssh.com
        --HostKeyAlgs
        EncCS:
          algorithm: aes128-ctr
          algorithm: aes192-ctr
          algorithm: aes256-ctr
          algorithm: aes128-cbc
          algorithm: aes192-cbc
          algorithm: aes256-cbc
          algorithm: 3des-cbc
          algorithm: crypticore128@ssh.com
        --EncCS
        EncSC:
          algorithm: aes128-ctr
          algorithm: aes192-ctr
          algorithm: aes256-ctr
          algorithm: aes128-cbc
          algorithm: aes192-cbc
          algorithm: aes256-cbc
          algorithm: 3des-cbc
          algorithm: crypticore128@ssh.com
        --EncSC
        MacCS:
          algorithm: hmac-sha1-96
          algorithm: hmac-sha256-2@ssh.com
          algorithm: hmac-sha224@ssh.com
          algorithm: hmac-sha256@ssh.com
          algorithm: hmac-sha384@ssh.com
          algorithm: hmac-sha512@ssh.com
          algorithm: crypticore-mac@ssh.com
        --MacCS
        MacSC:
          algorithm: hmac-sha1-96
          algorithm: hmac-sha256-2@ssh.com
          algorithm: hmac-sha224@ssh.com
          algorithm: hmac-sha256@ssh.com
          algorithm: hmac-sha384@ssh.com
          algorithm: hmac-sha512@ssh.com
          algorithm: crypticore-mac@ssh.com
        --MacSC
        CompCS(16ms):
          algorithm: none
          algorithm: zlib
        --CompCS
        CompSC:
          algorithm: none
          algorithm: zlib
        --CompSC
        ChosenIncomingEncryption: aes256-ctr
        ChosenOutgoingEncryptoin: aes256-ctr
        Unable to agree upon server-to-client MAC algorithm.
        Unable to agree upon client-to-server MAC algorithm.
        ChosenIncomingCompression: zlib
        ChosenOutgoingCompression: zlib
        ChosenKexAlgorithm: diffie-hellman-group-exchange-sha256
        choose_hostkey_algorithm:
          preferRsaHostKeyAlgorithm: 1
        --choose_hostkey_algorithm
        ChosenHostKeyAlgorithm: ssh-rsa
        numBits: 256
        pbits: 4096
        Using GEX Group.
        Sending KEX_DH_GEX_REQUEST...
        pbits: 4096
        Unexpected message received.  Expected KEX_DH_GEX_GROUP/KEXDH_REPLY.
        msgType: DISCONNECT
      --sshSetupConnection
    --connectInner
    Failed.
  --Connect_SFtp
--ChilkatLog

Answer

The problem is this:

Unable to agree upon server-to-client MAC algorithm.
Unable to agree upon client-to-server MAC algorithm.

The solution is to make the server accept more typical and commonly used (but also very secure) MAC algorithms, or to wait for Chilkat to implement a few of these other MAC algorithms..


Answer

I added support for hmac-sha1-96, so it should work now. Here's a new build:

32-bit Download: http://www.chilkatsoft.com/download/preRelease/chilkat-9.5.0-x86-vc10.zip
64-bit Download: http://www.chilkatsoft.com/download/preRelease/chilkat-9.5.0-x86_64-vc10.zip

-Matt


Answer

Wow, thanks a lot, that was quick.

The connection works. But there is a problem afterwards. Mayby a probem with hmac-sha1-96?

Connect_SFtp:
    DllDate: Aug  8 2016
    ChilkatVersion: 9.5.0.59
    Architecture: Little Endian; 32-bit
    Language: Visual C++ 10.0 (32-bit)
    VerboseLogging: 1
    SftpVersion: 0
    connectInner:
        hostname: ebibkom.deutschepost.de
        port: 22
        sshConnect:
            connectSocket:
                domainOrIpAddress: ebibkom.deutschepost.de
                port: 22
                connectTimeoutMs: 30000
                connect_ipv6_or_ipv4:
                    Multi-threaded domain to IP address resolution
                    resolveHostname6:
                        getAddressInfo:
                            (leaveContext 15ms)
                        (leaveContext 15ms)
                    findIpAddrInfo:
                        (leaveContext)
                    connecting to IPV4 address...
                    ipAddress: 149.239.221.118
                    createSocket:
                        Setting SO_SNDBUF size
                        sendBufSize: 262144
                        Setting SO_RCVBUF size
                        recvBufSize: 4194304
                        (leaveContext)
                    connect:
                        Waiting for the connect to complete...
                        ck_getsockname_ipv4:
                            (leaveContext)
                        myIP: 192.168.18.31
                        myPort: 6381
                        socket connect successful.
                        (leaveContext 32ms)
                    (leaveContext 47ms)
                (leaveContext 47ms)
            Established TCP/IP connection with SSH server
            Turning on TCP_NODELAY.
            (leaveContext 47ms)
        sshSetupConnection:
            clientIdentifier: SSH-2.0-PuTTY_Release_0.66
            Sending client identifier...
            Done sending client identifier.
            Reading server version...
            initialDataFromSshServer: SSH-2.0-6.4.6.215 SSH Tectia Server

            serverVersion: SSH-2.0-6.4.6.215 SSH Tectia Server
            build_kexInit:
                preferRsaHostKeyAlgorithm: 1
                (leaveContext)
            sendMessageInOnePacket:
                (leaveContext)
            KeyExchangeAlgs:
                algorithm: diffie-hellman-group1-sha1
                algorithm: diffie-hellman-group14-sha1
                algorithm: diffie-hellman-group14-sha256@ssh.com
                algorithm: diffie-hellman-group-exchange-sha1
                algorithm: diffie-hellman-group-exchange-sha256
                (leaveContext 16ms)
            HostKeyAlgs:
                algorithm: ssh-rsa
                algorithm: ssh-rsa-sha256@ssh.com
                (leaveContext)
            EncCS:
                algorithm: aes128-ctr
                algorithm: aes192-ctr
                algorithm: aes256-ctr
                algorithm: aes128-cbc
                algorithm: aes192-cbc
                algorithm: aes256-cbc
                algorithm: 3des-cbc
                algorithm: crypticore128@ssh.com
                (leaveContext)
            EncSC:
                algorithm: aes128-ctr
                algorithm: aes192-ctr
                algorithm: aes256-ctr
                algorithm: aes128-cbc
                algorithm: aes192-cbc
                algorithm: aes256-cbc
                algorithm: 3des-cbc
                algorithm: crypticore128@ssh.com
                (leaveContext)
            MacCS:
                algorithm: hmac-sha1-96
                algorithm: hmac-sha256-2@ssh.com
                algorithm: hmac-sha224@ssh.com
                algorithm: hmac-sha256@ssh.com
                algorithm: hmac-sha384@ssh.com
                algorithm: hmac-sha512@ssh.com
                algorithm: crypticore-mac@ssh.com
                (leaveContext 15ms)
            MacSC:
                algorithm: hmac-sha1-96
                algorithm: hmac-sha256-2@ssh.com
                algorithm: hmac-sha224@ssh.com
                algorithm: hmac-sha256@ssh.com
                algorithm: hmac-sha384@ssh.com
                algorithm: hmac-sha512@ssh.com
                algorithm: crypticore-mac@ssh.com
                (leaveContext)
            CompCS:
                algorithm: none
                algorithm: zlib
                (leaveContext)
            CompSC:
                algorithm: none
                algorithm: zlib
                (leaveContext)
            LangCS:
                (leaveContext)
            LangSC:
                (leaveContext)
            ChosenIncomingEncryption: aes256-ctr
            ChosenOutgoingEncryptoin: aes256-ctr
            ChosenIncomingMac: hmac-sha1-96
            ChosenOutgoingMac: hmac-sha1-96
            ChosenIncomingCompression: zlib
            ChosenOutgoingCompression: zlib
            ChosenKexAlgorithm: diffie-hellman-group-exchange-sha256
            choose_hostkey_algorithm:
                preferRsaHostKeyAlgorithm: 1
                (leaveContext)
            ChosenHostKeyAlgorithm: ssh-rsa
            numBits: 256
            pbits: 4096
            Using GEX Group.
            Sending KEX_DH_GEX_REQUEST...
            pbits: 4096
            sendMessageInOnePacket:
                (leaveContext)
            Received GEX Group.
            sendDhInit:
                create_E:
                    (leaveContext 327ms)
                sendMessageInOnePacket:
                    (leaveContext)
                Sent: SSH2_MSG_KEX_DH_GEX_INIT
                (leaveContext 327ms)
            computeExchangeHash:
                dhReplyMsgType: 33
                serverVersion: [SSH-2.0-6.4.6.215 SSH Tectia Server]
                Using SHA256 for Key Exchange Hash
                (leaveContext 15ms)
            RSA host key parsed successfully.
            HostKeyNumBits: 1536
            verifyHashSsh:
                Pkcs1_5_decode:
                    (leaveContext)
                (leaveContext)
            RSA signature verification success.
            rsa_key: 0000 0007 7373 682D 7273 6100 0000 0301
0001 0000 00C1 00C6 5561 71B7 43F0 6C96
4F52 14FA 2140 D807 2644 8EE8 C395 1F23
88F3 3347 16FD 0EF5 E930 C1F5 D44B F195
D361 3BE6 5314 2263 F3C9 5867 86AE 2E13
65AE 9E9B B70F 89D7 342F F73E E6AD 5F9C
B211 DFC4 1044 D635 00A5 736D FD7D D04A
AE50 B6DC B875 F07E 8EFC 7E7D 8448 17E0
30BE 2119 21AC 0760 92D0 36BB 4EED 2911
D888 986C CE0E 4B36 4A46 379F 99B0 C45D
EF68 33D2 DFC8 1DE7 06D0 0765 CA2A 3B1E
0B4D 1AD3 2401 4B56 DB93 7D82 F5E7 5D27
1920 9802 7B3C C487 9B96 E8A4 822D 7A4A
87BF 70A8 DF65 D7
            sigH: 0000 0007 7373 682D 7273 6100 0000 C0A6
1371 49D8 8DF6 9BB4 90A2 3F27 2CA1 EB96
5A6B 7830 0D6F 5E3B 4C4E 6670 72A7 5F70
E047 2A90 2700 E5BE 0215 A90B 231B 6AB4
8498 91F0 477F C03B A329 474A E72B 80AE
9363 11EE 9654 EB44 E463 E42F BF1F F952
A8E3 6BAD 3412 E80D 3C75 8AAA A5DC C14C
1C9F AD79 ECD5 13C9 A49C 2781 FC42 E1A0
9D63 2B17 A7DF C61A BFC2 4647 573D B79A
B2A2 17E5 38E7 9312 58E3 AFBD FD45 24D4
97A8 1FEC 07DD BDA9 8608 DB6C F16C DB0B
744D B875 AE32 49EC 1BFE 4043 E268 8277
CC1E 62F3 B86D E933 7779 EA98 3C1F DD
            exchangeHash: 0C7F 5B32 2C3F DDEF 61C4 D438 C4E8 CC9C
EA0B E5F7 5323 AEAD 0F98 43A1 9A35 1982

            Sending newkeys to server...
            sendMessageInOnePacket:
                (leaveContext)
            Expecting newkeys from server...
            SSH Key Exchange Success.
            installNewKeys:
                m_isRekey: 0
                Outgoing compression is now zlib.
                Incoming compression is now zlib.
                Outgoing encryption is now AES 256 CTR
                outgoingMac: SHA1-96
                initCrypt_aes:
                    (leaveContext)
                initCrypt_aes:
                    (leaveContext)
                (leaveContext)
            (leaveContext 826ms)
        socketOptions:
            SO_SNDBUF: 262144
            SO_RCVBUF: 4194304
            TCP_NODELAY: 1
            SO_KEEPALIVE: 0
            (leaveContext)
        Sending IGNORE message.
        sendMessageInOnePacket:
            (leaveContext)
        (leaveContext 873ms)
    Success.
    (leaveContext 889ms)
AuthenticatePw:
    DllDate: Aug  8 2016
    ChilkatVersion: 9.5.0.59
    UnlockPrefix: FORMATSSH
    Architecture: Little Endian; 32-bit
    Language: Visual C++ 10.0 (32-bit)
    VerboseLogging: 1
    login: [usr00006]
    login: usr00006
    sshAuthenticatePw:
        requestUserAuthService:
            sendServiceRequest:
                svcName: ssh-userauth
                sendMessageInOnePacket:
                    (leaveContext)
                SentServiceReq: ssh-userauth
                (leaveContext)
            mType: IGNORE
            sockRecv failed.
            sockRecvN_buf: Did not receive the exact number of bytes desired.
            numBytesToReceive: 16
            numBytesReceived: 0
            Failed to read 1st block_size bytes..
            Error reading service accept.
            (leaveContext 30358ms)
        (leaveContext 30358ms)
    Failed.
    (leaveContext 30358ms)
Disconnect:
    DllDate: Aug  8 2016
    ChilkatVersion: 9.5.0.59
    UnlockPrefix: FORMATSSH
    Architecture: Little Endian; 32-bit
    Language: Visual C++ 10.0 (32-bit)
    VerboseLogging: 1
    SshVersion: SSH-2.0-6.4.6.215 SSH Tectia Server
    SftpVersion: 0
    terminateConnection:
        TCP connection cleanly closed by peer.
        Cleanly terminated TCP connection.
        (leaveContext 31ms)
    (leaveContext 62ms)

Answer

Thanks! I'll investigate (most likely tomorrow because my schedule is full today..)

-Matt