Unable to connect to SSH when FIPS policy is ON

0 votes
asked Jan 30 by shailesh.kumar (120 points)

I am evaluating Rebex binaries from Rebex Component 2017 R6.3 (Trial). I am using rebex.TerminalEmulation library to establish SSH connection with CISCO codec. The code works when FIPS is Off on my system but does not work when it is ON. The error says the following:

Rebex.Net.SshException: Negotiation failed. The client and the server have no common encryption algorithm.
at Rebex.Net.ATM.Q(CDM N, SshKeyExchangeAlgorithm M, SshHostKeyAlgorithm U, GTM I, GTM Q, ETM L, ETM O)
at Rebex.Net.SshSession.QME(Byte[] N)
at Rebex.Net.SshSession.Negotiate()
at Rebex.Net.Ssh.HZY.QME(UZY N, Boolean M)
at Rebex.Net.Ssh.LK(String N, Int32 M, SshParameters U, UZY I)
--- End of inner exception stack trace ---
at Rebex.Net.Ssh.LK(String N, Int32 M, SshParameters U, UZY I)
at Rebex.Net.Ssh.OC(String N, Int32 M, SshParameters U)

The documentation on FIPS from Rebex website says the following

FIPS 140-2 mode #
Rebex SFTP can operate in a FIPS 140-2 compliant mode. When enabled, only FIPS-approved cryptographic modules from MS CryptoAPI are used. FIPS mode is activated automatically when Windows is running in FIPS mode. To switch on the FIPS mode manually, set
Rebex.Security.Cryptography.CryptoHelper.UseFipsAlgorithmsOnly to true.

I am setting this property to true before establishing the connection but this does not help.

Please help us regarding the same.

1 Answer

0 votes
answered Jan 30 by Lukas Pokorny (92,830 points)

In FIPS-only mode, only FIPS-validated cryptographic algorithms provided by Windows CryptoAPI are used. The same applies when Rebex.Security.Cryptography.CryptoHelper.UseFipsAlgorithmsOnly is set to true (this is the default value for Windows running in FIPS mode). In practice, this mostly affects AES/CTR cipher which is not supported by Windows CryptoAPI and therefore not available in FIPS-only mode of Rebex components. If the server is configured to support CTR ciphers but not CBC ciphers, this will result in the error you encountered.

There are several possible solutions to this:

  • Enable AES/CBC ciphers at the server.

  • Disable FIPS-only mode at the client by setting Rebex.Security.Cryptography.CryptoHelper.UseFipsAlgorithmsOnly to false.

  • Try using a beta of Rebex Components 2018 R1 that supports AES/GCM ciphers in FIPS-only mode. If the server supports AES/GCM as well, this would solve the issue. I sent a download link to your email address.

...