EldoS | Feel safer!

Software components for data protection, secure storage and transfer

"Invalid MAC" when connecting to SunOS

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#7378
Posted: 08/20/2008 14:20:09
by Zoë Peterson (Priority Standard support level)
Joined: 05/24/2007
Posts: 23

I'm using SecureBlackBox 6.0.144 compiled with Delphi 2007. One of our customers is getting an "Invalid MAC" error when connecting to SunOS:
"SunOS nsdeap23 5.10 Generic_127111-08 sun4v sparc SUNW,Sun-Fire-T200"

It occurs sometime between us receiving the server key and before the connection is established. What does the error mean, and how can we work around it?
#7384
Posted: 08/21/2008 01:50:30
by Eugene Mayevski (EldoS Corp.)

The error means that either the server sends some junk during handshake or the server doesn't understand the data sent by the client (depending on whether the reported error is Local or Remote).
The only way to solve the problem is to have access to this server and try various combinations of settings as described in the FAQ article.


Sincerely yours
Eugene Mayevski
#7517
Posted: 09/03/2008 14:37:00
by Zoë Peterson (Priority Standard support level)
Joined: 05/24/2007
Posts: 23

I already have an OnError handler, and the only message I'm getting from it is "Invalid MAC". The FAQ article you linked to doesn't actually talk about which settings to change. Which specific properties should I try changing (Compression, Encryption, Kex)? Are there any that are good fail-safe type values we can start with? Have you done any testing against SunOS?
#7519
Posted: 09/03/2008 22:55:22
by Eugene Mayevski (EldoS Corp.)

You need to try different combinations of different properties. Unfortunately there's no easier algorithm to solve the problem other than disable all algorithms and start enabling them one by one. We can do this for you if you provide (here or in HelpDesk) the address of the server. We don't need login info on this step, just the address and port number.

There exists a myriad of different SSH/SFTP servers (I think several hundreds of platform/product/version/patch combinations) and we can't address them all. Unfortunately we didn't have experience with SunOS SSH/SFTP servers yet.



Sincerely yours
Eugene Mayevski
#7523
Posted: 09/04/2008 15:01:17
by Zoë Peterson (Priority Standard support level)
Joined: 05/24/2007
Posts: 23

Sorry, it's a customer's server and it apparently doesn't have public internet access. Do you have any scripts/programs handy that I can send them that do automated cycling between the algorithms? I can whip one up quickly if you don't; just thought I'd ask.
#7525
Posted: 09/05/2008 03:43:40
by Ken Ivanov (EldoS Corp.)

First of all, please set AutoAdjustCiphers property to true and check if it solves the issue.
#7529
Posted: 09/05/2008 09:45:22
by Zoë Peterson (Priority Standard support level)
Joined: 05/24/2007
Posts: 23

I already have AutoAdjustCiphers set; no, it doesn't help.
#7530
Posted: 09/05/2008 10:48:34
by Ken Ivanov (EldoS Corp.)

It is likely that the server incorrectly uses one of the MAC algorithms, so it would be natural to start the investigation from MAC algorithms. Please try to disable all the MAC algorithms and then enable them one-by-one starting from SSH_MA_HMAC_SHA1 and SSH_MA_HMAC_MD5.
#7533
Posted: 09/05/2008 16:35:07
by Zoë Peterson (Priority Standard support level)
Joined: 05/24/2007
Posts: 23

Thank you, that did it. There's apparently a bug in their RIPEMD160/RIPEMD_OPENSSH algorithms, so I increased the priorities of SHA1 and MD5 to work around it. The server itself was OpenSSH 4.3, but it obviously isn't broken in all cases.
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 2783 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!