EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Connection lost - Error code 105

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#15992
Posted: 03/07/2011 10:24:23
by Robert Bindas (Basic support level)
Joined: 03/07/2011
Posts: 4

Hello Support Team,

We're using a SecureBlackBox component, version "EldoS.SSHBlackbox.5". Couple of days ago, after one of the server that we are connecting to changed it's physical location, component "stopped to work".

We cannot connect anymore using the component, as we were becoming error 0 on connection try. (This happened without any change on our side, error code 105 mentioned bellow came after trying to configure component manually).

Server on it's own seems to be ok, as connection ist possible using external tool (i use WinSCP for this).

I think this has to be some security/protcols/algorithm setup issue.

I've tried to manually configure the component, using log of successful connection (connection made using external tool - WinSCP).
What I expected is to see which protocols/algorithms are used while connecting, and configure your library that way.

Maybe if you see it, as sftp topic expert, can see missing/wrong configuration quickly.

Log of successful connection (using WinSCP tool http://winscp.net/eng/index.php ):

Looking up host "reports.paypal.com"
Connecting to 66.211.168.93 port 22
Server version: SSH-2.0-SSHD
We believe remote version has SSH-2 ignore bug
Using SSH protocol version 2
We claim version: SSH-2.0-WinSCP_release_4.3.2
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-1
Host key fingerprint is:
ssh-rsa 1024 87:a4:aa:4a:ef:bb:52:07:c2:6d:39:97:42:35:74:fe
Initialised AES-256 CBC client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 CBC server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
Using username "sftptK_paypal-inccleverbridge.co".
Prompt (5, SSH server: Password Authentication, Using keyboard-interactive authentication., Password: )
Using stored password.
Access granted
Opened channel for session
Started a shell/command
Doing startup conversation with host.
Type: SSH_FXP_INIT, Size: 5, Number: -1
Type: SSH_FXP_VERSION, Size: 5, Number: -1
SFTP version 3 negotiated.
We believe the server has signed timestamps bug
We will use UTF-8 strings for status messages only
Changing directory to "/".
Getting real path for '/'
Type: SSH_FXP_REALPATH, Size: 10, Number: 4368
Type: SSH_FXP_NAME, Size: 43, Number: 4368
Real path is '/'
Trying to open directory "/".
Type: SSH_FXP_LSTAT, Size: 10, Number: 4615
Type: SSH_FXP_ATTRS, Size: 29, Number: 4615
Getting current directory name.
Directory content loaded from cache.
Cached directory not reloaded.
Listing directory "/".
Type: SSH_FXP_OPENDIR, Size: 10, Number: 4875
Type: SSH_FXP_HANDLE, Size: 10, Number: 4875
Type: SSH_FXP_READDIR, Size: 10, Number: 5132
Type: SSH_FXP_NAME, Size: 318, Number: 5132
Type: SSH_FXP_READDIR, Size: 10, Number: 5388
Type: SSH_FXP_STATUS, Size: 17, Number: 5388
Status code: 1
Type: SSH_FXP_CLOSE, Size: 10, Number: 5636
Startup conversation with host finished.


Configuration of SecureBlackBox SFTP component (connection not successful - error code 105 returned) written in c#.

var sftpClient = new TElSimpleSFTPClient();

sftpClient.OnError += new SBSSHCommon.TSSHErrorEvent(sftpClient_OnError);

sftpClient.Versions = 8;
sftpClient.AuthenticationTypes = 16;

for (short i = SBSSHConstants.Unit.SSH_EA_FIRST; i <= SBSSHConstants.Unit.SSH_EA_LAST; i++)
{
sftpClient.set_EncryptionAlgorithms(i, false);
}

sftpClient.set_EncryptionAlgorithms(SBSSHConstants.Unit.SSH_EA_AES256, true);
sftpClient.set_MacAlgorithms(SBSSHConstants.Unit.SSH_MA_HMAC_SHA1, true);
sftpClient.set_MacAlgorithms(SBSSHConstants.Unit.SSH_KEX_RSA1024_SHA1, true);

sftpClient.AutoAdjustCiphers = true;

var currentCredential = ObjectManagement.GetPaymentproviderCredential(Paymentprovider.Paypal, credentialTypeID, IntDbValue.Null);

sftpClient.Address = "reports.paypal.com";
sftpClient.Port = 22;
sftpClient.Username = currentCredential.Username;
sftpClient.Password = currentCredential.Password;

try
{
sftpClient.Open();
}
catch (EElSimpleSFTPClientException ex)
{
}


I would be very thankful if you could give any hints to this.

Regards,
Robert
#15995
Posted: 03/07/2011 11:46:59
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

1) Please try to adjust the ciphers as described here (see step 5). Your code partially attempts to fulfill this step (with regard to symmetric key algorithms), but please be sure to adjust *all* the algorithms at the same time as described in the article.

2) Could you please bind the license ticket you received with the registration letter to your Helpdesk/Forum account so that we could identify you as a customer?
#15996
Posted: 03/07/2011 12:13:45
by Robert Bindas (Basic support level)
Joined: 03/07/2011
Posts: 4

Hi Innokentiy,

we are customers, company name is cleverbridge AG (as my email domain) and we've purchased license in 2007. But I'm not sure what exactly you need to identify us.

Back to the topic:

I've tried setting algotithms to mine own + algorithms listed in documentation:


sftpClient.set_EncryptionAlgorithms(SBSSHConstants.Unit.SSH_EA_AES256,true); sftpClient.set_MacAlgorithms(SBSSHConstants.Unit.SSH_MA_HMAC_SHA1, true);
sftpClient.set_KexAlgorithms(SBSSHConstants.Unit.SSH_KEX_RSA1024_SHA1, true);
sftpClient.set_EncryptionAlgorithms(SBSSHConstants.Unit.SSH_EA_3DES,true); sftpClient.set_EncryptionAlgorithms(SBSSHConstants.Unit.SSH_EA_DES,true); sftpClient.set_KexAlgorithms(SBSSHConstants.Unit.SSH_KEX_DH_GROUP,true); sftpClient.set_KexAlgorithms(SBSSHConstants.Unit.SSH_KEX_DH_GROUP_EXCHANGE,true); sftpClient.set_MacAlgorithms(SBSSHConstants.Unit.SSH_MA_HMAC_MD5,true); sftpClient.set_PublicKeyAlgorithms(SBSSHConstants.Unit.SSH_PK_DSS, true);
sftpClient.set_PublicKeyAlgorithms(SBSSHConstants.Unit.SSH_PK_RSA, true);


and it keeps returning error code 105.

If I only use these from documenation:


sftpClient.set_EncryptionAlgorithms(SBSSHConstants.Unit.SSH_EA_3DES,true); sftpClient.set_EncryptionAlgorithms(SBSSHConstants.Unit.SSH_EA_DES,true); sftpClient.set_KexAlgorithms(SBSSHConstants.Unit.SSH_KEX_DH_GROUP,true); sftpClient.set_KexAlgorithms(SBSSHConstants.Unit.SSH_KEX_DH_GROUP_EXCHANGE,true); sftpClient.set_MacAlgorithms(SBSSHConstants.Unit.SSH_MA_HMAC_MD5,true); sftpClient.set_PublicKeyAlgorithms(SBSSHConstants.Unit.SSH_PK_DSS, true);
sftpClient.set_PublicKeyAlgorithms(SBSSHConstants.Unit.SSH_PK_RSA, true);


I am getting an error code 7.

Any idea ?

Thank you.

Robert
#16001
Posted: 03/08/2011 04:20:24
by Ken Ivanov (EldoS Corp.)

Thank you for the details.

Before enabling all those algorithms, have you actually disabled all other encryption, MAC, public key and KEX algorithms?

If you have, could you please try the following:
1) Disable HMAC-SHA1 algorithm and enable HMAC-MD5 instead,
2) Check if OnKeyValidate event is fired?
#16002
Posted: 03/08/2011 04:22:41
by Ken Ivanov (EldoS Corp.)

...and regarding the license - there's an entry called a "license ticket" included to the SecureBlackbox registration letter (a relatively short string of numeric characters - not to be confused with the license key of 512 alphanumeric characters long). Please find this license ticket and attach it to your web site account via My Control Center section.
#16004
Posted: 03/08/2011 07:19:48
by Robert Bindas (Basic support level)
Joined: 03/07/2011
Posts: 4

1) regarding to the license ... i am gonna do it tommorow, as i have to wait for a collegue, who purchased the license that time. Only thing I can see at the moment is the licene key (i could send it to you via email if you want)

2) regardin to the issue ...

yes i disabled all of them with following code:

for (short i = SBSSHConstants.Unit.SSH_EA_FIRST; i <= SBSSHConstants.Unit.SSH_EA_LAST; i++)
{
sftpClient.set_EncryptionAlgorithms(i, false);
}


your point 1) - i disabled SSH_MA_HMAC_SHA1 and added SSH_MA_HMAC_MD5 and error code remains 105.

point 2) OnKeyValidate event was fired before disabling/enabling of MacAlgorithms, as well as after change. In both cases returns IsKeyValid true.
#16005
Posted: 03/08/2011 07:37:46
by Ken Ivanov (EldoS Corp.)

1) There's no problem in doing it tomorrow. Actually, by assigning a license ticket you implicitly "tell" us that you have Standard support level which is faster than Basic one. It's okay with this topic (as you told us who you are), but the absence of the ticket might cause unnecessary delays with your future support inquiries.

2)
Quote
yes i disabled all of them with following code:

And have you added similar code pieces for disabling MAC, public key and KEX algorithms?

Could you please place a breakpoint inside the OnError event handler and catch a call stack for us?
#16007
Posted: 03/08/2011 08:20:27
by Robert Bindas (Basic support level)
Joined: 03/07/2011
Posts: 4

Great, that was it ! I turned off only encryption algorithms before.

Here the final version that works for me:

var sftpClient = new TElSimpleSFTPClient();

sftpClient.OnError += new SBSSHCommon.TSSHErrorEvent(sftpClient_OnError);
sftpClient.OnKeyValidate += new SBSSHCommon.TSSHKeyValidateEvent(sftpClient_OnKeyValidate);

sftpClient.Versions = 8;
sftpClient.AuthenticationTypes = 16;

for (short i = SBSSHConstants.Unit.SSH_EA_FIRST; i <= SBSSHConstants.Unit.SSH_EA_LAST; i++)
{
sftpClient.set_EncryptionAlgorithms(i, false);
}

for (short i = SBSSHConstants.Unit.SSH_KEX_DH_GROUP_EXCHANGE; i <= SBSSHConstants.Unit.SSH_KEX_LAST; i++)
{
sftpClient.set_KexAlgorithms(i, false);
}

for (short i = SBSSHConstants.Unit.SSH_PK_FIRST; i <= SBSSHConstants.Unit.SSH_PK_LAST; i++)
{
sftpClient.set_PublicKeyAlgorithms(i, false);
}

for (short i = SBSSHConstants.Unit.SSH_MA_FIRST; i <= SBSSHConstants.Unit.SSH_MA_LAST; i++)
{
sftpClient.set_MacAlgorithms(i, false);
}

sftpClient.set_EncryptionAlgorithms(SBSSHConstants.Unit.SSH_EA_AES256, true);
sftpClient.set_MacAlgorithms(SBSSHConstants.Unit.SSH_MA_HMAC_MD5, true);
sftpClient.set_KexAlgorithms(SBSSHConstants.Unit.SSH_KEX_RSA1024_SHA1, true);

sftpClient.set_EncryptionAlgorithms(SBSSHConstants.Unit.SSH_EA_3DES, true);
sftpClient.set_EncryptionAlgorithms(SBSSHConstants.Unit.SSH_EA_DES, true);
sftpClient.set_KexAlgorithms(SBSSHConstants.Unit.SSH_KEX_DH_GROUP, true);
sftpClient.set_KexAlgorithms(SBSSHConstants.Unit.SSH_KEX_DH_GROUP_EXCHANGE, true);
sftpClient.set_PublicKeyAlgorithms(SBSSHConstants.Unit.SSH_PK_DSS, true);
sftpClient.set_PublicKeyAlgorithms(SBSSHConstants.Unit.SSH_PK_RSA, true);

sftpClient.AutoAdjustCiphers = true;


Thank you once again for your help, Innokentiy.
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 2858 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!