CF2018 / CF2021 sFTP fail - Algorithm negotiation fail

Report · Nov 14, 2023

We connect to a partner organization daily to grab sets of files using sFTP. We had received notice from them that they were deprecating ssh-rsa and only supporting rsa-sha2-256 and rsa-sha2-512 going forward. Well the day has come and apparently CF2018 (and 2021) using ssh-rsa as our connections have failed.

There's nothing in any documents or articles that we can find about switching, forcing or upgrading the CFFTP algorithm other than some bugs with CF2011 and a zlib jar.

Any help or ideas on how to get around this?

Report · Nov 14, 2023

When connecting with CoreFTP, the connection is:

SH-2.0-SSHD  
diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,rsa2048-sha256,ecdh-sha2-nistp384,ext-info-s
diffie-hellman-group-exchange-sha256
rsa-sha2-512
ciphers selected: 
aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,blowfish-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,des-cbc,des-cbc@ssh.com
client->server cipher: aes256-ctr
client->server mac: hmac-sha2-256
server->client cipher: aes256-ctr
server->client mac: hmac-sha2-256 
SHA1 23:0b:3e:35:a6:85:78:77:fd:a2:bb:13:a6:34:8a:98:05:8b:08:8b
sending password...
PWD  
Current directory is '/'

Report · Apr 05, 2024

What error message do you get?

Report · Apr 24, 2024

We ended up switching to JSch (http://www.jcraft.com/jsch/) which supports more modern protocols than CF's built in sFTP capabilities. Not only did they require us to switch to rsa-sha2-512, but also they're going to allow only hmac-sha2-256 and hmac-sha2-512 for handshakes going forward - something else that it seems ACF sFTP doens't support (or isn't documented)

Report · Apr 24, 2024

Thanks for the update and for sharing your insight.

CF2018 / CF2021 sFTP fail - Algorithm negotiation fail

Photos