Subject: SFTP with RSA works but can't get to work with DSS
Date: 2013-02-15 18:50:06
From: Terry Campbell
Source: sftp-rsa-works-can-t-get-work-dss
----------------------------------------------------------------------



 We been using SFTP product in a production environment 4-5 months to successfully pull data from another server via the Sftp object and the RSA SshHostKeyAlgorithm. Recently there have been changes on the other end and we're getting: "Atp.Net.SftpException: The client and the server have no common algorithms." Some analysis indicated that the other server is not using RSA but rather DSA. So we changed code to make the SshHostKeyAlgorithm configurable and tried using the DSS enumerated value rather than RSA. But in our local testing, when the  "Use FIPS compliant algorithms for encryption, hashing and signing" setting is enabled, we can't get it to work, but rather get "Key exchange failed" on Sftp's Connect. If we disable this setting in Local Security Policy and set Atp.Security.SecuritySettings.FipsAlgorithmsOnly = false in code, the Sftp Connect and Authenticate methods work fine.

 For RSA

 Only Windows Use Fips enabled --> Key exchange failed

 Only FipsAlgorithmsOnly = "true" --> Connect / Authenticate worked

 Both false --> Connect / Authenticate worked

 Both "true" --> Connect / Authenticate worked

 For DSA

 Only Windows Use Fips enabled --> Key exchange failed

 Only FipsAlgorithmsOnly = "true" --> Key exchange failed

 Both false --> Connect / Authenticate worked

 Both "true" --> Key exchange failed



 1. Can you help? The other side doesn't want to switch to RSA, claiming it will break their other feeds.

 2. Also, why doesn't DSA work like RSA? Basically we want DSA to work like RSA was working.



 We've tested primarily using default values for 

  EncryptionAlgorithms

  EncryptionModes

  MacAlgorithms

  KeyExchangeAlgorithms

 and

  HostKeyAlgorithms = SshHostKeyAlgorithm.DSS

 The server is not accessible by you.



 The product version that I see in, say, Atp.Sftp.dll is 5.0.20.4302



 If we can't get it to work soon, we'll need to look at competing products.



 Terry


----------------------------------------------------------------------

Note: This question has been asked on the Q&A forum of Thang Dang's fraudulent ComponentPro brand
If you purchased anything from ComponentPro, you have been scammed. Contact the payment processor
who sold you the license and ask for your money back.

Back to ComponentPro Q&A Forum Index