FTP Secure - Algorithm negotiation fail

Description

None

Environment

Migrating from 5.3.X to 5.4.X prevents connections to secure FTP site using cfftp . Is there a way to warn or specify group 14 or other algorithm’s until upgrading?

Lucee 5.4.1.8 Error (java.io.IOException)

Message

com.jcraft.jsch.JSchAlgoNegoFailException: Algorithm negotiation fail: algorithmName="kex" jschProposal="curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c" serverProposal="diffie-hellman-group1-sha1,diffie-hellman-group14-sha1"

Java Stacktrace

lucee.runtime.exp.NativeException: com.jcraft.jsch.JSchAlgoNegoFailException: Algorithm negotiation fail: algorithmName="kex" jschProposal="curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c" serverProposal="diffie-hellman-group1-sha1,diffie-hellman-group14-sha1"
at lucee.runtime.net.ftp.SFTPClientImpl.handleFail(SFTPClientImpl.java:394)
at lucee.runtime.net.ftp.SFTPClientImpl.connect(SFTPClientImpl.java:117)
at lucee.runtime.net.ftp.FTPWrap.connect(FTPWrap.java:118)
at lucee.runtime.net.ftp.FTPWrap.<init>(FTPWrap.java:61)
at lucee.runtime.net.ftp.FTPPoolImpl._get(FTPPoolImpl.java:83)
at lucee.runtime.net.ftp.FTPPoolImpl.get(FTPPoolImpl.java:38)
at lucee.runtime.tag.Ftp.getClient(Ftp.java:498)
at lucee.runtime.tag.Ftp.actionOpen(Ftp.java:622)
at lucee.runtime.tag.Ftp.doEndTag(Ftp.java:179)
at schedprocs.dci.dcisitesimport_cfm$cf.udfCall(/schedprocs/DCI/DCISitesImport.cfm:101)
at lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:112)
at lucee.runtime.type.UDFImpl._call(UDFImpl.java:350)
at lucee.runtime.type.UDFImpl.call(UDFImpl.java:223)
at lucee.runtime.type.scope.UndefinedImpl.call(UndefinedImpl.java:786)
at lucee.runtime.util.VariableUtilImpl.callFunctionWithoutNamedValues(VariableUtilImpl.java:787)
at lucee.runtime.PageContextImpl.getFunction(PageContextImpl.java:1775)
at schedprocs.dci.dcisitesimport_cfm$cf.call(/schedprocs/DCI/DCISitesImport.cfm:9)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:1056)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:948)
at lucee.runtime.listener.ClassicAppListener._onRequest(ClassicAppListener.java:65)
at lucee.runtime.listener.MixedAppListener.onRequest(MixedAppListener.java:45)
at lucee.runtime.PageContextImpl.execute(PageContextImpl.java:2493)
at lucee.runtime.PageContextImpl._execute(PageContextImpl.java:2478)
at lucee.runtime.PageContextImpl.executeCFML(PageContextImpl.java:2449)
at lucee.runtime.engine.Request.exe(Request.java:45)
at lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1216)
at lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:1162)
at lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:97)
at lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.io.IOException: com.jcraft.jsch.JSchAlgoNegoFailException: Algorithm negotiation fail: algorithmName="kex" jschProposal="curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c" serverProposal="diffie-hellman-group1-sha1,diffie-hellman-group14-sha1"
... 51 more
Caused by: com.jcraft.jsch.JSchAlgoNegoFailException: Algorithm negotiation fail: algorithmName="kex" jschProposal="curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c" serverProposal="diffie-hellman-group1-sha1,diffie-hellman-group14-sha1"
at com.jcraft.jsch.KeyExchange.guess(KeyExchange.java:155)
at com.jcraft.jsch.Session.receive_kexinit(Session.java:569)
at com.jcraft.jsch.Session.connect(Session.java:320)
at com.jcraft.jsch.Session.connect(Session.java:187)
at lucee.runtime.net.ftp.SFTPClientImpl.connect(SFTPClientImpl.java:101)
... 49 more

Linked work items

is caused by

LDEV-4299

switch to jsch fork (mwiede/jsch)

Activity

Eric Webb
9 July 2023 at 21:52

Thanks had to include both jsch.kex and jsch.server_host_key to the OPTS

Zac Spitzer
9 July 2023 at 17:30

see https://github.com/mwiede/jsch/wiki/Jsch-Configuration#3-java-system-properties

5.4 and 6.0 use an updated fork of jsch, which adds modern algorithms but also deprecates some older insecure ones

Resize issue view side panel

Unresolved

Details

Assignee

Unassigned

Reporter

Eric Webb

Priority

New

Labels

ftpregressionsftp

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Affects versions

5.4.1.8

Created 9 July 2023 at 01:55

Updated 31 July 2023 at 16:51