Ask a Question

Will Rebex client support below cipher suites, Macs and Algorithms while connecting to CB SFTP server in c#??

0 votes
by (600 points)

I am connecting/uploading/downloading with CB sftp server via Rebex in c#.
Rebex dll version used for the same is 6.0.8372.0

ciphers
aes256-gcm@openssh.com
rijndael-cbc@lysator.liu.se
aes128-gcm@openssh.com
chacha20-poly1305@openssh.com

MACs
hmac-sha2-512-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-shal-etm@openssh.com
umac-64-etm@openssh.com
umac-64@openssh.com

Key exchange algorithm
curve25519-sha256@libssh.org
sntrup4591761x25519-sha512@tinyssh.org

Applies to: Rebex SFTP

1 Answer

0 votes
by (147k points)

aes256-gcm@openssh.com - supported
rijndael-cbc@lysator.liu.se - this is an old name for aes256-cbc from roughly 20 years ago; use aes256-cbc instead (or rather not because it's weak)
aes128-gcm@openssh.com - supported
chacha20-poly1305@openssh.com - supported

MACs
hmac-sha2-512-etm@openssh.com - supported
hmac-sha2-256-etm@openssh.com - supported
hmac-shal-etm@openssh.com - supported (and considered weak)
umac-64-etm@openssh.com - not supported (and considered weak)
umac-64@openssh.com - not supported (and considered weak)

Key exchange algorithm
curve25519-sha256@libssh.org - supported on Windows 10/11 and Windows Server 2016/2019/2022; external plugin needed for other platforms
sntrup4591761x25519-sha512@tinyssh.org - not supported (most likely won't ever be supported because the sntrup4591761 algorithm was superseded almost two years ago by sntrup761)

by (600 points)
So will this rebex version (6.0.8372.0) mentioned above will be able to connect , upload and download with CB  SFTP  with the ciphers, macs and key exchange algorithms updated above without any issue.
I assume if any of the above ciphers are supported will  connectivity/upload/download work fine
by (147k points)
What exactly is a "CB SFTP server"? We support SFTP and SSH protocols, but what does "CB" actually mean?

Rebex SFTP should be able to connect/authenticate/upload/download to the server as long as there is at least one SSH cipher in each of the five categories (key exchange algorithm / host key algorithm / symmetric encryption algorithm / MAC algorithm / compression algorithm) that is supported by both the client and the server.
by (600 points)
edited by
Will  rebex dll version. 6.0.8232.0 and 5.0.7161.0  be able to support any of the above ciphers , macs and key exchange algorithms

Will there be any issue to connect/upload/download for those rebex  dll versions

By CB server I meant Central Bank SFTP server . We are connecting towards there via Rebex

Please provide a response asap
by (147k points)
> Will rebex dll version. 6.0.8232.0 and 5.0.7161.0  be able to support any of the above ciphers, macs and key exchange algorithms

6.0.8232 - yes on Windows 10/11 and Windows Server 2016/2019/2022; external Curve25519 plugin needed for other platforms
5.0.7161 - only with an external Curve25519 plugin

> Will there be any issue to connect/upload/download for those rebex dll versions

5.0.x releases are no longer supported or maintained. 5.0.7161 is almost 5 years old, which means that it was not tested with any contemporary SFTP servers. If you continue using it with new SFTP serves, it's basically only a matter of time before you run into some compatibility issue. If you have to stay on 5.0.x for some reason, consider upgrading to 5.0.8813 published earlier this year.

> By CB server I meant Central Bank SFTP server. We are connecting towards there via Rebex

Using an outdated 5 year-old library to connect to a central bank SFTP server does not seem like a good idea, particularly when your ciphers of choice make the SSH sessions vulnerable to Terrapin attack: https://blog.rebex.net/version-7-0-8755 (mitigation added to 5.0.8813).
by (600 points)
We cannot upgrade from this version at this time. May be the next time when SFTP server updated . So for Rebex 5.0.7161.0 will it support SFTP connectivity/upload/download if elliptic curve plugin is there in the client server in all the above windows  platforms?

Also how can one identify elliptic curve plugin is enabled or not in client server.
by (147k points)
Rebex.Curve25519 plugin enables curve25519-sha256@libssh.org cipher support in v5.0.7161 on all target .NET platforms. If a server is configured to support the ciphers you listed above, then Rebex SFTP v5.0.7161 should be able to support SFTP connectivity/upload/download with that server. We are unable to tell for sure - the SFTP server might require some other SSH features that were not available 5 years ago, such as SSH extension support or Terrapin vulnerability mitigation support.

If your application has enabled the Curve25519 plugin by calling AsymmetricKeyAlgorithm.Register(Curve25519.Create), then it's enabled. If it did not, then it's not enabled. For more information, see https://www.rebex.net/kb/simple-elliptic-curve-libraries/
by (600 points)
edited by
So to enable elliptic curve plugin i have to add  few more libraries for it and update in the connectivity code also or can we enable the plugin without any code change for Rebex 5.0.7161.0 .  Also will the connectivity  fail if above plugin is not enabled for this rebex dll version. Please confirm
by (600 points)
Which all corners/macs/key exchange  algorithms will be supported by Rebex version 5.0.7161.0 and 6.0.8232.0 versions by default.
ciphers
aes256-gcm@openssh.com
rijndael-cbc@lysator.liu.se
aes128-gcm@openssh.com
chacha20-poly1305@openssh.com

MACs
hmac-sha2-512-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-shal-etm@openssh.com
umac-64-etm@openssh.com
umac-64@openssh.com

Key exchange algorithm
curve25519-sha256@libssh.org
sntrup4591761x25519-sha512@tinyssh.org
by (147k points)
Yes. To enable curve25519-sha256@libssh.org in v5.0.7161, you have to add one library (Rebex.Curve25519.dll) and enable it as described at https://www.rebex.net/kb/elliptic-curve-plugins/
by (147k points)
For aes256-gcm@openssh.com, aes128-gcm@openssh.com, hmac-sha2-512-etm@openssh.com and hmac-sha2-256-etm@openssh.com, you need Rebex SFTP v3.0.6666 or higher. No plugin required.

For chacha20-poly1305@openssh.com, you need Rebex SFTP v5.0.7290 or higher. No plugin required.

For curve25519-sha256@libssh.org, you need Rebex SFTP v5.0.7357 or higher. No plugin required on Windows 10, Windows Server 2016 or higher. Plugin needed on other operating systems and on Windows 8.1, Windows Server 2012 R2 or earlier.
by (600 points)
So rebex dll with below versions of
(5.0.7161.0,
6.0.8232.0,
6.0.8372.0)
will be able to connect to the a server with above ciphers enabled without any code change in windows 2016 server to windows 2022 server or above without enabling any plug in  
Please confirm at the earliest.
by (147k points)
No, 5.0.7161 will not be able to.

For curve25519-sha256@libssh.org, you need Rebex SFTP v5.0.7357 or higher. No plugin required on Windows 10, Windows Server 2016 or higher. Plugin needed on other operating systems and on Windows 8.1, Windows Server 2012 R2 or earlier.
by (600 points)
edited by
I need much more clarity. Rebex version 5.0.7161.0 will support some of the ciphers ,/macs/ algorithms except curve25519-sha256@libssh.org
but  connectivity to the server will work .without any plugin since some ciphers are supported. Other rebex dll versions will connect since most ciphers are supported. Please confirm
by (147k points)
Yes, v5.0.7161 will support some of the algorithms listed above:

aes256-gcm@openssh.com
aes128-gcm@openssh.com

hmac-sha2-512-etm@openssh.com
hmac-sha2-256-etm@openssh.com

No plugin is needed for these algorithms.
by (600 points)
Hence connectivity with server will. Happen successfully naa for the same rebex dll versions. (5.0.7161.0, 6.0.8232.0 & 6.0.8372.0). Please confirm.
by (147k points)
No. If curve25519-sha256@libssh.org and sntrup4591761x25519-sha512@tinyssh.org are the only key exchange algorithms supported by the server, then 5.0.7161 will NOT be able to work with it because no common key exchange algorithm could be negotiated. 6.0.8232.0 and 6.0.8372.0 should work.

An SFTP/SSH client and server have to negotiate a cipher in each of the five categories to be able to connect: key exchange algorithm / host key algorithm / symmetric encryption algorithm / MAC algorithm / compression algorithm. 5.0.7161 lacks out-of-the-box support for both curve25519-sha256@libssh.org and sntrup4591761x25519-sha512@tinyssh.org, which means that the client and the server will not be able to communicate.
by (600 points)
Key exchange algorithms supported are the below
ecdh-sha2-nistp521

ecdh-sha2-nistp384

ecdh-sha2-nistp256

diffehellman-group18-sha512

curve25519-sha256
curve25519-sha256@libssh.org
sntrup4591761x25519-sha512@tinyssh.org

If so will Rebex SFTP dll 5.0.7161 version  will  be able to connect to the server.  Awaiting an update asap
by (147k points)
It should be able to connect to the server if "ecdh-sha2-nistp521", "ecdh-sha2-nistp384" or "ecdh-sha2-nistp256" are explicitly enabled, but a small percentage of connection attempts will fail due to lack of proper SSH-compatible ECDH algorithm support in Windows.

(A proper SSH-compatible ECDH algorithm support was introduced in Windows 10. Rebex SFTP added support for it in v5.0.7357.)
by (600 points)
edited by
Whether  rebex SFTP dll (5.0.7357.0) instead of 5.0.7161.0  and rebex SFTP dll (6.0.8232.0/6.8372) will have any connectivity attempt failures in between. We want a completely working rebex SFTP dll as per our need.  We are uploading and downloading large volume of data with in a configured time.

Also please update if we use rebex dll of these versions suited for lower framework like 3.5, & higher framework like 4.5, 4.6.1,4.6.2 etc.  will there be any connectivity failure in between. We need it to
by (600 points)
Will rebex SFTP dll  versions  starting from 5.0.7537.0 onwards connect with above ciphers,key exchange algorithms without any connectivity failure . ( .net framework 3.5, 4.6,4.6.1,4.6.2 etc)
by (147k points)
If you want a completely working Rebex SFTP that is able to work reliable with contemporary SFTP servers, then you really don't want to use an outdated 4-year-old version that is already out of support, contains known issues and a vulnerability, and could not possibly have been tested before release with any SFTP server published between 2020 and today.

Rebex SFTP v5.07357 might work in your scenario, and it does support .NET Framework 3.5-4.8. However, the only way to find out for sure is to actually give it a try. The SFTP server might have additional requirements we are not aware of. It could require some other SSH features that were not available 4 years ago, such as SSH extension support or Terrapin vulnerability mitigation.
by (600 points)
If i am using rebex sftp dill with version 6.0.8232.0 onwards  hope there will not be any sftp connectivity failures in between at Client side .  We want all the data processing to happen with in a configured time and hence if connective failures happen at client side it could affect the functionality (say while downloading we have connectivity issue at client side etc.). Hence whether  if use  the versions from 6.0.8232.0 onwards will it be fine.
by (147k points)
v6.0.8232 added SSH extension negotiation and is still reasonably up-to-date. We are not aware of any compatibility issues between that 2-year-old version and contemporary servers.

That said, if reliability is your goal, then the up-to-date Rebex SFTP v6.0.8814 is a better option:
https://www.rebex.net/kb/r6-release-history/
by (600 points)
Actually we have being using Rebex dll for many years. Of late  as part of SFTP server upgrade we upgraded Rebex SFTP  dll to 6.0.8372.0 and noticed connectivity issues happening in between at times after the SFTP server upgrade.  Before that there was no connectivity errors happening at all. We couldn't completely investigate the same where the issue is happening. However we want the connectivity to work without any failure at all times from our side . Will it be due to connectivity issue at the server side or client side .

List of ciphers macs and key exchange algorithms are already updated above.
by (600 points)
I am connecting/uploading/downloading with CB sftp server via Rebex in c#.
Rebex dll version used for the same is 5.0.7501.0. It was mentioned that there would be small percentage of connectivity issues with version 5.0.7161.0 since ECDH algorithm not supported in windows. Please confirm

ciphers
aes256-gcm@openssh.com
rijndael-cbc@lysator.liu.se
aes128-gcm@openssh.com
chacha20-poly1305@openssh.com

MACs
hmac-sha2-512-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-shal-etm@openssh.com
umac-64-etm@openssh.com
umac-64@openssh.com

Key exchange algorithm
aes256-gcm@openssh.com
aes128-gcm@openssh.com

hmac-sha2-512-etm@openssh.com
hmac-sha2-256-etm@openssh.com
curve25519-sha256@libssh.org
sntrup4591761x25519-sha512@tinyssh.org
by (147k points)
There seems to be a mistake in your list - aes256-gcm@openssh.com
aes128-gcm@openssh.com are not key exchange algorithms.

What did the connectivity errors you observed with v6.0.8372 say?
by (600 points)
Error while connecting SFTP: No connection could be made because the target machine actively refused it was one exception we got. Connection attempt timed out.  
Connectivity failure happened intermittently in between.

We are connecting as below in windows service
objSFTP.Connect(sSFTPHost[0], int.Parse(sSFTPHost[1]));
objSFTP.Login(sSFTPHost[2], sSFTPHost[3]);
by (147k points)
Well, these errors are not actually related to SFTP or SSH protocol and ciphers at all!
They are connectivity issues at the TCP level. It's a network issue for network administrators to solve.
...