SFTP Server Negotiation Delays

0 votes
asked 6 days ago by Mark Scaletti (150 points)
edited 6 days ago by Lukas Pokorny

I have written a simple SFTP Server using Rebex 2018R3. It works as expected when run under Windows but when executed on a Raspbian Linux box under Mono V5.14.0.177 the connection takes a long time or times out depending on the application used to connect.

From a Wireshark trace I can see a 2 minute delay between the client's Group Exchange Init message coming in and the server's Group Exchange Reply going out. This delay is not present when the server is run under Windows.

There is a corresponding delay with matching timestamps recorded in the Rebex trace log between receiving the SSH_MSG_PACKET32 message and sending the SSH_MSG_PACKET33 message.

2018-11-06 22:27:17.905 DEBUG FileServer(1)[6] SSH: Session 1: Local SSH version: SSH-2.0-RebexSSH_1.0.6874.0
2018-11-06 22:27:17.925 DEBUG FileServer(1)[6] SSH: Session 1: Remote SSH version: SSH-2.0-OpenSSH_6.6.1
2018-11-06 22:27:17.927 DEBUG FileServer(1)[6] SSH: Session 1: Performing algorithm negotiation and key exchange.
2018-11-06 22:27:17.982 VERBOSE FileServer(1)[6] SSH: Session 1: Sent packet SSH_MSG_KEXINIT (768 bytes).
2018-11-06 22:27:17.990 VERBOSE FileServer(1)[5] SSH: Session 1: Received packet SSH_MSG_KEXINIT (1008 bytes).
2018-11-06 22:27:18.023 DEBUG FileServer(1)[5] SSH: Session 1: Performing key exchange using diffie-hellman-group-exchange-sha256 with ssh-rsa.
2018-11-06 22:27:18.024 VERBOSE FileServer(1)[6] SSH: Session 1: Received packet SSH_MSG_PACKET34 (24 bytes).
2018-11-06 22:27:18.035 VERBOSE FileServer(1)[6] SSH: Session 1: Sent packet SSH_MSG_KEXDH_REPLY (1048 bytes).
2018-11-06 22:27:18.059 VERBOSE FileServer(1)[5] SSH: Session 1: Received packet SSH_MSG_PACKET32 (528 bytes).
2018-11-06 22:29:21.224 VERBOSE FileServer(1)[5] SSH: Session 1: Sent packet SSH_MSG_PACKET33 (832 bytes).
2018-11-06 22:29:21.232 VERBOSE FileServer(1)[5] SSH: Session 1: Sent packet SSH_MSG_NEWKEYS (16 bytes).
2018-11-06 22:29:21.248 DEBUG FileServer(1)[5] SSH: Session 1: Current encryptor is aes128-ctr/hmac-sha2-512.
2018-11-06 22:29:21.249 INFO FileServer(1)[14] SSH: Session 1: Connection closed by the remote host.

How do I remove this delay?

Thanks,

Mark.

Applies to: Rebex SFTP

1 Answer

0 votes
answered 6 days ago by Lukas Pokorny (95,290 points)
selected 5 days ago by Mark Scaletti
 
Best answer

The delay occurs during the calculation of Diffie-Hellman shared secred. On non-Windows platforms, managed implementation of Diffie-Hellman algorithm is used to perform these calculations, which is substantially slower that the native implementation provided by Windows. On low-performance devices such as Raspberry PI, this calculation takes a very long time for long Diffie-Hellman keys. Relative slowness of Mono compared to .NET or .NET Core also makes this problem more severe.

To mitigate the issue, lower the maximum allowed Diffie-Hellman key size to 2048 bits on low-performance platforms, which is secure enough for the near-term future:

var server = new FileServer();
server.Settings.DiffieHellmanParametersCache.SetDiffieHellmanKeySizeRange(1024, 2048);

Alternatively, use a plugin to enable Elliptic-curve Diffie Hellman support. Elliptic curve cryptography offers equivalent security with smaller key sizes, which makes it particularly useful on low-performance platforms.

commented 5 days ago by Mark Scaletti (150 points)
Using the reduced key size we are down to a 16 second delay now.  That's workable for our system.

Thanks for the prompt reply.
...