Rebex SFTP: Key exchange failed. Server signature is not valid.

0 votes
asked Nov 14, 2016 by mingchen (120 points)

Hi, we connect to an external SFTP server with Rebex. Today after the server was upgraded CrushFtp version 3 to version 7.7, we start to receive the following exceptions. Any idea what the error mean and how to fix? Thanks.

2016-11-14 11:46:26.081 DEBUG Sftp(1)[1] SSH: Validating signature.
2016-11-14 11:46:26.082 DEBUG Sftp(1)[1] SSH: Negotiation failed: Rebex.Net.SshException: Key exchange failed. Server signature is not valid. ---> Rebex.Net.SshException: Server signature is not valid.
   at Rebex.Net.OGB.L(Byte[] A, Byte[] B, Byte[] C, SshPublicKey& D)
   at Rebex.Net.PGB.D(SshSession A, Byte[] B, Byte[] C, Byte[] D, Byte[] I, Byte[]& J, Byte[]& L, SshPublicKey& M)
   at Rebex.Net.SshSession.BZ(Byte[] A)
   --- End of inner exception stack trace ---
   at Rebex.Net.SshSession.BZ(Byte[] A)
2016-11-14 11:46:26.082 ERROR Sftp(1)[1] SSH: Rebex.Net.SshException: Key exchange failed. Server signature is not valid. ---> Rebex.Net.SshException: Server signature is not valid.
   at Rebex.Net.OGB.L(Byte[] A, Byte[] B, Byte[] C, SshPublicKey& D)
   at Rebex.Net.PGB.D(SshSession A, Byte[] B, Byte[] C, Byte[] D, Byte[] I, Byte[]& J, Byte[]& L, SshPublicKey& M)
   at Rebex.Net.SshSession.BZ(Byte[] A)
   --- End of inner exception stack trace ---
   at Rebex.Net.SshSession.BZ(Byte[] A)
   at Rebex.Net.SshSession.AZ()
   at Rebex.Net.SshSession.Negotiate()
2016-11-14 11:46:26.082 ERROR Sftp(1)[1] Info: Rebex.Net.SshException: Key exchange failed. Server signature is not valid. ---> Rebex.Net.SshException: Server signature is not valid.
   at Rebex.Net.OGB.L(Byte[] A, Byte[] B, Byte[] C, SshPublicKey& D)
   at Rebex.Net.PGB.D(SshSession A, Byte[] B, Byte[] C, Byte[] D, Byte[] I, Byte[]& J, Byte[]& L, SshPublicKey& M)
   at Rebex.Net.SshSession.BZ(Byte[] A)
   --- End of inner exception stack trace ---
   at Rebex.Net.SshSession.BZ(Byte[] A)
   at Rebex.Net.SshSession.AZ()
   at Rebex.Net.SshSession.Negotiate()
   at Rebex.Net.Sftp.QNB.BZ(BNB A)
   at Rebex.Net.Sftp.XM(String A, Int32 B, SshParameters C, BNB D)
2016-11-14 11:46:26.164 ERROR Sftp(1)[1] Info: System.InvalidOperationException: Not connected to the server.
   at Rebex.Net.Sftp.FP(String A, String B, SshPrivateKey C, BNB D)
Applies to: Rebex SFTP

1 Answer

0 votes
answered Nov 15, 2016 by Lukas Pokorny (85,050 points)

My guess is that the new version of your SFTP server added support for an additional key exchange algorithm, but its implementation is not compatible with ours. Which version of Rebex SFTP do you use?

If this server (or any equivalent) is accessible from the internet, we could try reproducing this ourselves and hopefully fix at as well. In this case, let us know. We don't need any username or password because this error occurs before the authentication phase.

commented Nov 15, 2016 by mingchen (120 points)
Thanks Lukas,

Our version Rebex.Sftp is 3.0.5715.0. The server is accessible from ftp.fascet.com. However there may be IP based filter so you may not be able to access it.
commented Nov 15, 2016 by Lukas Pokorny (85,050 points)
You are right, it's not accepting connections from us on port 22. Could you please create a communication log of Rebex SFTP as described at http://www.rebex.net/kb/logging/ and either post it here or mail it to us for analysis?
commented Nov 15, 2016 by mingchen (120 points)
I emailed the log file to 'support@rebex.net'. Thanks.
commented Nov 15, 2016 by Lukas Pokorny (85,050 points)
Thanks for the log!

Could you please try connecting once again, this time preferring RSA instead of DSS server host key? To do this, add the following line to your code:

client.Settings.SshParameters.PreferredHostKeyAlgorithm = SshHostKeyAlgorithm.RSA;
(where 'client' is an instance of Sftp object).

In case this doesn't work either, please mail us a new log as well.
commented Nov 15, 2016 by mingchen (120 points)
Yep that seems to have worked. Thanks!
commented Nov 15, 2016 by Lukas Pokorny (85,050 points)
Thanks for letting us know! The question that remains now is whether the issue with DSS server host key exchange is in the client or the server. Unlike Rebex SFTP, most third-party SFTP/SSH clients prefer RSA by default, so a server bug might actually go unnoticed. We will try doing some tests to determine this, and we will also consider making RSA the default as well. Until then, there is nothing wrong with keeping the PreferredHostKeyAlgorithm setting.
...