Skip to main content
S
seth_1207
Inspiring
March 9, 2025
Answered

ColdFusion 2021 Update 17 - sftp negotiation failed

  • March 9, 2025
  • 1 reply
  • 1423 views

Hello all,

We were running on Update 11, and have a scheduled task that uses certificate file to connect.
Before update it was working fine.

Now after update we are getting this:

 

ErrorCode82
ErrorTextAlgorithm negotiation fail: algorithmName="cipher.c2s" jschProposal="aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com" serverProposal="aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc"
ReturnValue82 Algorithm negotiation fail: algorithmName="cipher.c2s" jschProposal="aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com" serverProposal="aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc"
SucceededNO

So obviously we are proposing algorithms that the remote server does not support.
I cannot find anywhere to allow for aes256-CBC to be used on our end.

So how I do I at least enable an algorithm that their server supports???

 

 

 

Correct answer seth_1207

Seth, given the issue is cfftp and sftp--and since the failure arose on your update of cf--there was indeed a change in October regarding sftp, in cf2021 update 17 and cf2023 update 11. 

 

You say you were on cf2021 update 11 (which is from Oct 2023, btw) and per the technote for update 17, there was mention in the bug fixes section of a change to sftp which called for some to need to add either or both of a pair of jvm args to the startup of cf, to maintain backward compatibility:

 

-Dcoldfusion.sftp.fingerprint=md5 -Dcoldfusion.sftp.enable-ssh-rsa=TRUE

 

I'd recommend you try at least the second. And I realize that your error message might make it seem this is NOT the solution. If you're game to give it a try, let us know how it goes. 

 

Of course, changing the jvm args is something to be very careful about. You can use the cf admin "java and jvm" page and its java args box--but these are to be added to that long list of them (like at the end), but NOT ON A NEW LINE. If you get this wrong, cf won't start.

 

Indeed, as you may know, that page changes the underlying jvm.config file, in cfusion/bin (or [instancename]/bin. You should make a backup of that first. You can also just edit it directly, and its args line. 

 

Finally, I was thrown by your original note saying you "have a scheduled task that uses certificate file to connect". I didn't see that being about sftp. Perhaps Dave felt the same, thus his suggestion about the cert for a cfhttp or similar calls: as you may know, scheduled tasks run like a cfhttp.

 

Again, though, since you feel this failed upon updating cf (alone, right?), that suggests this other matter. Let us know how it goes. It's something I've long been wanting to explore more to understand it better, but for now I wanted to propose at least this for you. 


@Charlie Arehartand @Dave Watts 
I was able to get it figured out. Thank you both for your help!!!!
Been killing me all weekend.

I had to add these flags to jvm.config file

-Dcoldfusion.sftp.enable-ssh-rsa=TRUE -Dcoldfusion.sftp.fingerprint=md5 -Djsch.cipher=aes128-cbc

1 reply

D
Dave Watts
Community Expert
March 9, 2025

If you're using a client certificate with CFHTTP or any other HTTP client, you have to generate that yourself. The tool you use to generate it should have options for you to change encryption to what you need. If you're using jsch directly, or using a library that's a wrapper for jsch, you might find this useful:

 

https://stackoverflow.com/questions/78129815/jsch-jschalgonegofailexception-algorithm-negotiation-fail

(the single response in this thread is by Matthias Wiedemann, the developer of a popular jsch fork, and is worth clicking through)

 

If you're using openssl, you can check the online documentation for that. I'll point you to the actual docs, but I always find them difficult to figure out:

 

https://docs.openssl.org/master/man1/openssl/

 

Here are some alternatives:

 

https://mariadb.com/docs/server/security/data-in-transit-encryption/create-self-signed-certificates-keys-openssl/

(ignore the self-signed bits and just use your real CA root and intermediate certs)

 

https://stackoverflow.com/questions/76254573/changing-encryption-in-pkcs12-file-from-rc2-40-cbc-to-aes-256-cbc-using-openssl

(ignore the pkcs12-specific bits and read the rest)

 

Dave Watts, Eidolon LLC
S
seth_1207Author
Inspiring
March 9, 2025

Hi Dave, thanks for the response.
So I am not very profecient with CF.
The code that is being used is CFFTP and then the parameters are set up in there
<cfftp 
        action = "open"
        connection = "********"
        key = "certfile.priv"
        username = "USER"
        passphrase = "passphrase"
        port = "22"
        retryCount = "2"
        secure = "yes"
        server = "******"
        stopOnError = "no"
        timeout = "30"
        result = "OpenResult">

That is what we have set up and as I said it worked before.
So with the info you posted above, does any of that apply?

S
seth_1207Author
Inspiring
March 10, 2025

Thanks for the update, and glad to hear.

 

You should mark your reply as the answer. You can also mark mine as one for its added background, to help future readers.

 

One last thing, though: are you saying you did try JUST your -Djsch.cipher=aes128-cbc and that alone didn't work? It could be helpful for folks to know. All these are things we'd benefit understanding better, for sure. 🙂 Until then, we have these options. 


Will do.

I tried these 2 flags you recommended
-Dcoldfusion.sftp.enable-ssh-rsa=TRUE -Dcoldfusion.sftp.fingerprint=md5
They didn't work.
So adding in the 3rd flag allowed us to establish connection and pickup the files.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices