Ask a Question

Key exchange failed FIPS-certified AES implementation not available

0 votes
by (120 points)
edited

I'm getting the following error on a widow 2003 server with FIPS enabled. It works fine on a window 7 machine.

Rebex.Net.SftpException: Key exchange failed. ---> Rebex.Net.SshException: Key exchange failed. ---> System.Security.Cryptography.CryptographicException: FIPS-certified AES implementation is not available.
   at Rebex.Security.Cryptography.SymmetricKeyAlgorithm.N()
   at Rebex.Security.Cryptography.SymmetricKeyAlgorithm.CreateEncryptor()
   at Rebex.Security.Cryptography.WU.T()
   at Rebex.Net.SshSession.ZR(Byte[] A)
   --- End of inner exception stack trace ---
   at Rebex.Net.SshSession.ZR(Byte[] A)
   at Rebex.Net.SshSession.YR()
   at Rebex.Net.SshSession.Negotiate()
   at Rebex.Net.Sftp.EEB.ZR(SDB A)
   at Rebex.Net.Sftp.KL(String A, Int32 B, SshParameters C, SDB D)
   --- End of inner exception stack trace ---
   at Rebex.Net.Sftp.KL(String A, Int32 B, SshParameters C, SDB D)
   at Rebex.Net.Sftp.JL(String A, Int32 B, SshParameters C)
   at sftp_connect.Program.uploadFile(String _database, String _localPath, String _fileName) in ...
by (148k points)
edited

Please determine whether bool forceManagedAes = Rebex.Security.Cryptography.CryptoHelper.ForceManagedAes; returns true or false and let me know!

by (120 points)
edited

Where is cryptohelper defined?

by (148k points)
edited

It's in Rebex.Common.dll assembly, Rebex.Security.Cryptography namespace.

by (120 points)
edited

It's false

1 Answer

0 votes
by (148k points)
edited

It looks like the version of .NET Framework 3.5 on your Windows 2003 Server has a memory leak bug in AesCryptoServiceProvider class. Rebex SFTP normally works around this by using RijndaelManaged class instead, but this can't be done in FIPS-enabled mode because RijndaelManaged doesn't use a certified AES implementation.

Under these cirsumstances, Rebex SFTP should actually disable AES while negotiation the SSH connection, but due to a bug in a detection routine, this doesn't happen.

There are three ways to solve the issue:

  • Install the hotfix for the .NET AesCryptoServiceProvider bug (this is the recommended solution)
  • Disable AES before connecting to the server using the following code: sftp.Settings.SshParameters.EncryptionAlgorithms &= ~SshEncryptionAlgorithm.AES; (where sftp is an instance of Sftp class)
  • Download a hotfix for Rebex SFTP that disables AES automatically under these circumstances.
by (120 points)
edited

Problem solved after applying the hotfix, thanks

...