SFTP error

Post any question you may have in regards to GoAnywhere MFT and let our talented support staff and other users assist you.
5 posts Page 1 of 1

ehersh

Posts: 56
Joined: Mon Sep 26, 2016 12:50 pm

Post by ehersh » Tue Apr 04, 2017 10:33 am
Any idea what could cause the following error? We get it when we test the resource yet the file can be sent using FILEZILLA

[8098 - SFTP] Session.connect: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive). Full stack trace written to '1397290121775_error_1.log'
4/4/17 6:01:27 AM INFO Finished project 'NEW-PROJECT'
4/4/17 6:01:27 AM ERROR [8098 - SFTP] Session.connect: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)
4/4/17 6:01:27 AM INFO End Date and Time: 4/4/17 6:01:27 AM

Support_Dan

Posts: 9
Joined: Fri Dec 02, 2016 1:39 pm

Post by Support_Dan » Thu Apr 06, 2017 11:58 am
Can you send a screen shot of the SSH/SFTP resource properties? Wondering if you changed anything on the SSH Keys tab or Algorithms tab.

ehersh

Posts: 56
Joined: Mon Sep 26, 2016 12:50 pm

Post by ehersh » Thu Apr 06, 2017 4:49 pm
The SSH keys tab is blank. Which properties tab did you need to see?

Support_Dan

Posts: 9
Joined: Fri Dec 02, 2016 1:39 pm

Post by Support_Dan » Fri Apr 07, 2017 4:23 pm
GoAnywhere is dependent upon the ability of the Security Provider used to generate DH keypairs during the key exchange. Depending upon the key exchange algorithm used, the server MAY require a key size larger than the default Java Security Provider can support.
The solution is one of the following:
Disable the key exchange algorithm that is negotiating a key size larger than the supported max (version 5.2.4 or higher required)
Implement the BouncyCastle workaround (see below) to use the BC provider for DH key pair generation, which supports up to 8192 bit key sizes (version 5.2.4 or higher required)
Enable FIPS mode, which supports up to 8192 bit key sizes (any version of GoAnywhere) - This version has the most potential negative impact because it implements the JSafeJCE provider in a way that affects all encryption

Diffie-Hellman Key Exchange Algorithms
DH Key Exchange Algorithm
DH Key Size
diffie-hellman-group1-sha1
1024
diffie-hellman-group14-sha1 2048
diffie-hellman-group-exchange-sha1 Negotiated between 1024 and 8192
diffie-hellman-group-exchange-sha256 Negotiated between 1024 and 8192

Security Provider Max DH Key Sizes
Security Provider
Max DH Key Size
Default SunJCE (Oracle Java 1.7) 1024
Default SunJCE (Oracle Java 1.8) 2048
JSafeJCE (FIPS certified provider) 8192
BouncyCastle 8192

BouncyCastle Workaround ***Version GAMFT 5.2.4 or higher Required***
Add the following line to the [INSTALL_DIR]/config/system.properties and restart (stop then start) GoAnywhere MFT.
com.linoma.sftp.client.kexProvider.BC=true

NOTE: Java may fix this issue in a future version and this will not be needed anymore. The work around is using Bounce Castle instead of Sun JCE. Bounce Castle can create keys up to size 8192. This fixes the Client side since Server side was already using BC as the default.

NOTE: on Version 5.4.3 we got the following error
SSH_MSG_KEX_DH_GEX_REQUEST(1024<1024<1024)
expecting SSH_MSG_KEX_DH_GEX_GROUP

ehersh

Posts: 56
Joined: Mon Sep 26, 2016 12:50 pm

Post by ehersh » Mon Apr 10, 2017 6:45 am
I believe we fixed it. We added the key exchange to the algorithm tab, thank you for your help.
5 posts Page 1 of 1