Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
379 views
in Technique[技术] by (71.8m points)

sftp - Where to look for non-fips compliant secure SSH connection?

One of our projects uses an older third party JScape library to trigger SFTP file pulls through a .net web forms application triggering a webservice currently targeting .net framework 4.8. Our application of course is just wrapping jscape dll methods. The third party DLL just suddenly started throwing FIPS compliance errors as seen below, where FIPS has been enabled on this server since being stood up (years ago) and calls using this library have succeeded till a few weeks ago. We've enabled FIPS on test servers and can still currently make connections using this same library wrapped in our code. One of our staff has wiresharked the connection and sees compliant algorithms in the key exchange, where I'm not sure what other guidance to offer since I don't work in this lane very often. Any recommendations on what filters to apply to identify the challenge in wireshark would be helpful (or if wireshark isn't the droid we should be looking at). I know RijndaelManaged isn't supposed to be FIPS compliant, but I don't understand why we can successfully make these calls on test machines with FIPS enabled using the same code. I also thought .net 4.8 would've redirected to a compliant block size, but unsure since we're wrapping a very old library (believe 2013 was their last update).

These are all Windows Server 2012R2 VMs. We have tried things such as pivoting our test server's cipher suites and protocols to line up with the production server, but the test server still succeeded on calls. Supported Ciphers in the calling server are not specified on both test/prod servers in the requisite schannel/ciphers registry key. We're also requesting the owner of the SFTP server to provide ciphers from their config to see if we can potentially eliminate anything non-compliant, but haven't heard back. Still a tricky option since our test server works fine and we don't know what other clients need to communicate with this SFTP server.

Error Message:
Daily Job - Import - Stopped – 
Jscape.Sftp.SftpException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. ---> 
System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. 
at System.Security.Cryptography.RijndaelManaged..ctor() 
at Jscape.Ssh.Transport.MS.MSCipher.x56e2ad8ae9696c49.CreateDecipher(Byte[] keyData, Byte[] ivData) 
at Jscape.Ssh.Transport.TransportConfiguration.GetServerClientDecipher(String name, KeyCreator keyCreator) 
at Jscape.Ssh.Transport.TransportClient.SetReaderAlgorithms(KeyCreator creator) 
at Jscape.Ssh.Transport.Transport.ExchangeKeys(SshMsgKexInit localInitMsg, SshMsgKexInit remoteInitMsg) 
at Jscape.Ssh.Transport.Transport.ExchangeKeys() 
at Jscape.Ssh.Connection.ConnectionClient.Create(ConnectionParameters parameters, User user, ConnectionConfiguration config) 
at Jscape.Ssh.SshStandaloneConnector.OpenConnection() 
at Jscape.Sftp.ClientSession..ctor(IConnector connector, Encoding readerEncoding, Encoding writerEncoding) --- End of inner exception stack trace --- 
at Jscape.Sftp.ClientSession..ctor(IConnector connector, Encoding readerEncoding, Encoding writerEncoding) 
at Jscape.Sftp.Sftp.Connect() 
at xx.xx.xx.xx.xx.InitializeSftpConnection()

Thank you for any support/advice.

question from:https://stackoverflow.com/questions/65830737/where-to-look-for-non-fips-compliant-secure-ssh-connection

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)
Waitting for answers

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...