ColdFusion 2021 and jsch connecting using CFFTP/SFTP

[SethDunn]

We are having an issue with an upgrade of ColdFusion 2021 update 11 -> Update 17
We had a connection to a secure FTP server that worked, now after upgrade it no longer works.
The algorithms we are proposing don't work with the server, the server uses older ones.

ErrorCode | 82

ErrorText | Algorithm negotiation fail: algorithmName="cipher.c2s" jschProposal="aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]" serverProposal="aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc"

ReturnValue | 82 Algorithm negotiation fail: algorithmName="cipher.c2s" jschProposal="aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]" serverProposal="aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc"
Succeeded | NO

It is similar to this issue:
#40
and this one, the dropbear post is exactly what we get
#37

How would we be able to enable the algorithms their server is looking for? Like aes256-cbc or aes128-cbc?

[SethDunn]

The install that worked was using jsch-0.1.54.jar
The update is now using jsch-0.2.17.jar
If that helps

[mwiede]

Hi @SethDunn
What configuration options did you try so far? if you want to re-enable algorithms you need to read the https://github.com/mwiede/jsch/wiki/Jsch-Configuration or FAQ section on the Readme page.

[SethDunn]

Hi @mwiede
I would like to re-enable them. Just not sure how to go about doing that. Since this is ColdFusion. Not sure where you enable these things, I am assuming the jvm.config file?? But then also not sure what flags need to be set. I am not the original web programmer for our company, unfortunate things happened with that gentleman. So now I am trying to help maintain things, so CF is a little foreign to me. And you have a Java install on the server, but then CF also has it's own Java it uses.
So do you know where I would need to configure these things?

[SethDunn]

@mwiede
At the bottom of that link you supplied, there is this:
java -jar my_spring_boot_app.jar -Djsch.kex=ssh-ed25519,diffie-hellman-group14-sha1

So I assume that this is what we will need, and it will be added to the java.config file.
So in our case, I don't think we will need to have the "-jar my_spring_boot_app.jar" portion, we would just need the -Djsch.kex portion? And for that, would it just be "-Djsch.kex=aes256-cbc" or "-Djsch.kex=ssh-rsa,aes256-cbc", since the priv file is ssh-rsa

[mwiede]

@SethDunn sorry I have no idea about cold fusion. I the config file can be used to set system properties, then it should work

[SethDunn]

@mwiede
Ok, I added the "-Djsch.kex=ssh-rsa,aes256-cbc" flag to the jvm.config file.
CF service did start, so that at least is good. My boss will test and see if that works.

Since this is part of the jsch jar file. If I wanted to go in and edit this file to re-enable the CBC algorithms. Is their a fairly "easy" way to do that?
I am also wondering if possible to downgrade back to the previous jsch jar file and seeing if that works.

[SethDunn]

@mwiede
Adding that flag resulted in this:

Connection Opened - struct

ErrorCode | 82 -- | -- ErrorText | Algorithm negotiation fail: algorithmName="kex" jschProposal="ssh-rsa,aes256-cbc,ext-info-c,[email protected]" serverProposal="diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,ext-info-s"

ReturnValue | 82 Algorithm negotiation fail: algorithmName="kex" jschProposal="ssh-rsa,aes256-cbc,ext-info-c,[email protected]" serverProposal="diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,ext-info-s"
Succeeded | NO

Would the flag you suggested "-Djsch.kex=ssh-rsa,aes256-cbc"
work with "-Djsch.cipher.c2s=ssh-rsa,aes256-cbc" ?

[SethDunn]

@mwiede
Ok, got it to work!!!!

Had to add this to the jvm.config file.....what CF uses to pass arguments to Java

-Dcoldfusion.sftp.enable-ssh-rsa=TRUE -Dcoldfusion.sftp.fingerprint=md5 -Djsch.cipher=aes128-cbc

[mwiede]

@SethDunn good to know, thanks!

On the other hand I want to encourage you to clarify with the server admins, why they still have this old configuration and why not consider upgrading. The new default settings of openssh and jsch are there for a reason, security!

[SethDunn]

@mwiede
LOL, Oh I know and I agree....completely.
I even mentioned it my boss when the error first popped up....I was like man CBC is old and weak. We have it disabled on our servers in order to be PCI compliant.
But the data we are retrieving from this client doesn't contain any sensitive information....so I guess they don't much care or perhaps they really don't know to begin with.