Easily find issues by searching: #<Issue ID>
Example: #1832
Easily find members by searching in: <username>, <first name> and <last name>.
Example: Search smith, will return results smith and adamsmith
| Dev |
|
| QA |
|
| Priority | Major |
| Complexity | Unknown |
| Component | Open API - Net |
| Version | 18.0 |
Debug why AQNet.sftpTo() fails to connect to BrickFTP.com
See here : http://stackoverflow.com/questions/6263630/jschexception-algorithm-negotiation-fail
See this comment :
"You could also check the Key Exchance Algorithms if the problem appears again. Recent versions of debian and synology DSM ship OpenSSH with diffie-hellman-group1-sha1 disabled, and Jsch doesn't seem to support the others. If you can, add KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 to your sshd_config on the server. At least this worked for me (TeamCity 8.1.5 vs. git repository on Synology DSM 5.1)."
See here : https://brickftp.com/2017/03/31/cipher-suite-change/
If you opt-out of the new security updates it works.
We can get a free trial and test/debug the issue.
The error is "Algorithm negotiation fail", which is caused by com.jcraft.jsch.Session.receive_kexinit(). See attached.
|
|
185 KB
|
573 B
|
|
393 B
|
|
5 KB
|
|
5 KB
|
|
5 KB
|
|
5 KB
|
|
5 KB
|
|
112 KB
|
|
116 KB
This may also be a factor : https://blogs.oracle.com/java-platform-group/jdk-8-will-use-tls-12-as-default
@kin-hong: lets do a hangout on Monday to discuss.
@kin-hong: lets do a hangout on Monday to discuss.
While debugging this issue, I came across a separate, non-related bug in Apache Ant SCP implementation. If my username contains the '@' character, e.g. user@host.com, then the uri will start with user@host.com@server.brickftp.com:.... - but org.apache.tools.ant.taskdefs.optional.ssh#parseUri will incorrectly parse out the username as user and the host as host.com@server.brickftp.com. This is discussed more here.
To get around this bug, we will override org.apache.tools.ant.taskdefs.optional.ssh#SSHBase#openSession method to reset the username and host correctly before the session is opened.
I have checked in the fix for the above (trunk r54452, v18 r54453: 18.0.12-9).
@qa, please test the following Open APIs for regression:
While debugging this issue, I came across a separate, non-related bug in Apache Ant SCP implementation. If my username contains the '@' character, e.g. user@host.com, then the uri will start with user@host.com@server.brickftp.com:.... - but org.apache.tools.ant.taskdefs.optional.ssh#parseUri will incorrectly parse out the username as user and the host as host.com@server.brickftp.com. This is discussed more here.
To get around this bug, we will override org.apache.tools.ant.taskdefs.optional.ssh#SSHBase#openSession method to reset the username and host correctly before the session is opened.
I have checked in the fix for the above (trunk r54452, v18 r54453: 18.0.12-9).
@qa, please test the following Open APIs for regression:
I have added the ability to route log messages generated by JSch to ADS's CLog. See the attached logger.config which enables JSch INFO level logging. I am able to successfully sftp to BrickFTP (with ADS running under Ubuntu 16.04 LTS). See the attached test.xjs. The JSch messages are captured in datastudio.log file (attached).
I have added the ability to route log messages generated by JSch to ADS's CLog. See the attached logger.config which enables JSch INFO level logging. I am able to successfully sftp to BrickFTP (with ADS running under Ubuntu 16.04 LTS). See the attached test.xjs. The JSch messages are captured in datastudio.log file (attached).
In ADS v18, we upgraded the jsch library to version 1.53
ADS v17, uses the jsch library 1.50
Starting in jsch 1.51, the following ciphers & kex algorithms are enabled by default. Because "diffie-hellman-group-exchange-sha256" (& some ciphers) are not enabled by default in 1.50, we are not able to connect to BrickFTP server when "Enable Insecure Old Ciphers for HTTPS, FTPS, and SFTP for Compatibility" is off.
- change: aes192-ctr, aes256-ctr and
diffie-hellman-group-exchange-sha256 have been enabled
by the default.
- change: key exchange methods, ecdh-sha2-nistp256,
ecdh-sha2-nistp384 and ecdh-sha2-nistp521 have been enabled
by the default.
- change: the support for host keys in ecdsa-sha2-nistp256,
ecdsa-sha2-nistp384 and ecdsa-sha2-nistp521 have been enabled
by the default.
In ADS v18, we upgraded the jsch library to version 1.53
ADS v17, uses the jsch library 1.50
Starting in jsch 1.51, the following ciphers & kex algorithms are enabled by default. Because "diffie-hellman-group-exchange-sha256" (& some ciphers) are not enabled by default in 1.50, we are not able to connect to BrickFTP server when "Enable Insecure Old Ciphers for HTTPS, FTPS, and SFTP for Compatibility" is off.
- change: aes192-ctr, aes256-ctr and
diffie-hellman-group-exchange-sha256 have been enabled
by the default.
- change: key exchange methods, ecdh-sha2-nistp256,
ecdh-sha2-nistp384 and ecdh-sha2-nistp521 have been enabled
by the default.
- change: the support for host keys in ecdsa-sha2-nistp256,
ecdsa-sha2-nistp384 and ecdsa-sha2-nistp521 have been enabled
by the default.
Issue #15244 |
| Closed |
| Fixed |
| Resolved |
Completion |
| No due date |
| No fixed build |
| No time estimate |
This may also be a factor : https://blogs.oracle.com/java-platform-group/jdk-8-will-use-tls-12-as-default