Key exchange failed FIPS-certified AES implementation not available

0 votes
asked Jan 14, 2014 by flyjar (120 points)
edited Jan 15, 2014

I'm getting the following error on a widow 2003 server with FIPS enabled. It works fine on a window 7 machine.

Rebex.Net.SftpException: Key exchange failed. ---> Rebex.Net.SshException: Key exchange failed. ---> System.Security.Cryptography.CryptographicException: FIPS-certified AES implementation is not available.
   at Rebex.Security.Cryptography.SymmetricKeyAlgorithm.N()
   at Rebex.Security.Cryptography.SymmetricKeyAlgorithm.CreateEncryptor()
   at Rebex.Security.Cryptography.WU.T()
   at Rebex.Net.SshSession.ZR(Byte[] A)
   --- End of inner exception stack trace ---
   at Rebex.Net.SshSession.ZR(Byte[] A)
   at Rebex.Net.SshSession.YR()
   at Rebex.Net.SshSession.Negotiate()
   at Rebex.Net.Sftp.EEB.ZR(SDB A)
   at Rebex.Net.Sftp.KL(String A, Int32 B, SshParameters C, SDB D)
   --- End of inner exception stack trace ---
   at Rebex.Net.Sftp.KL(String A, Int32 B, SshParameters C, SDB D)
   at Rebex.Net.Sftp.JL(String A, Int32 B, SshParameters C)
   at sftp_connect.Program.uploadFile(String _database, String _localPath, String _fileName) in ...
commented Jan 15, 2014 by Lukas Pokorny (111,430 points)
edited Jan 15, 2014

Please determine whether bool forceManagedAes = Rebex.Security.Cryptography.CryptoHelper.ForceManagedAes; returns true or false and let me know!

commented Jan 15, 2014 by flyjar (120 points)
edited Jan 15, 2014

Where is cryptohelper defined?

commented Jan 15, 2014 by Lukas Pokorny (111,430 points)
edited Jan 15, 2014

It's in Rebex.Common.dll assembly, Rebex.Security.Cryptography namespace.

commented Jan 15, 2014 by flyjar (120 points)
edited Jan 15, 2014

It's false

1 Answer

0 votes
answered Jan 15, 2014 by Lukas Pokorny (111,430 points)
edited Jan 15, 2014

It looks like the version of .NET Framework 3.5 on your Windows 2003 Server has a memory leak bug in AesCryptoServiceProvider class. Rebex SFTP normally works around this by using RijndaelManaged class instead, but this can't be done in FIPS-enabled mode because RijndaelManaged doesn't use a certified AES implementation.

Under these cirsumstances, Rebex SFTP should actually disable AES while negotiation the SSH connection, but due to a bug in a detection routine, this doesn't happen.

There are three ways to solve the issue:

  • Install the hotfix for the .NET AesCryptoServiceProvider bug (this is the recommended solution)
  • Disable AES before connecting to the server using the following code: sftp.Settings.SshParameters.EncryptionAlgorithms &= ~SshEncryptionAlgorithm.AES; (where sftp is an instance of Sftp class)
  • Download a hotfix for Rebex SFTP that disables AES automatically under these circumstances.
commented Jan 15, 2014 by flyjar (120 points)
edited Jan 15, 2014

Problem solved after applying the hotfix, thanks

...