This question is answered. Helpful answers available: 1. Correct answers available: 1.


Permlink Replies: 15 - Pages: 2 [ 1 2 | Next ] - Last Post: 16 Nov 22, 21:24 Last Post By: davidekholm
swaggie

Posts: 13
Registered: 22-Jul-2015
Can't connect. Server reported: Algorithem negotiation fail
Posted: 15 Oct 22, 08:38
 
  Click to reply to this thread Reply
After I upgraded to version 29 I am not able to connect to the webserver to upload an album.
All worked fine before the upgrade and no change has been made.
The error states "Can't connect. Server reported: Algorithem negotiation fail"

I can still connect and upload using an FTP client, FileZilla (this is how I currently upload new photo's to an album)
The settings on the FTP client are the same as used in jAlbum.
I have tried all the other connection types in jAlbum but all fail with different errors.

The type I use in jAlbum and FileZilla is SFTP
I have deleted the account profile and recreated it, but no change.

Is this a known bug?
Any solution for this?
Anything I can do to get more detail?
davidekholm

Posts: 3,442
Registered: 18-Oct-2002
Re: Can't connect. Server reported: Algorithem negotiation fail
Posted: 16 Oct 22, 08:44   in response to: swaggie in response to: swaggie
 
  Click to reply to this thread Reply
Attachment jsch-0.1.54.jar (272.1 KB)
This is most likely a side effect of updated encryption algorithms with the updated 3:rd party encryption library we're using. As time goes by, old insecure algorithms are removed in favor of newer more secure ones.

The most "correct" solution to this is really if you ask those who administer your server to update the encryption algorithms ("ciphers"), but to help you instantly, you can replace the encryption library in jAlbum with the older one we used for v28.1. To do this, open jAlbum, then select Tools->Open directories->Program directory. Now navigate inside the "lib" folder. Now close jAlbum and delete the file "jsch-0.2.3.jar" or move it outside the "lib" folder (renaming it isn't enough). Finally put the attached file in the "lib" folder. Now start jAlbum again.
swaggie

Posts: 13
Registered: 22-Jul-2015
Re: Can't connect. Server reported: Algorithem negotiation fail
Posted: 16 Oct 22, 15:08   in response to: davidekholm in response to: davidekholm
 
  Click to reply to this thread Reply
Thanks for the quick reply and solution, Replacing jsch-0.2.3.jar with jsch-0.1.54.jar solved the issue.
I will also ask my ISP if they can change the ciphers and when they have confirmed they did I will remove jsch-0.1.54.jar and add jsch-0.2.3.jar.

Thanks again and kind regards, Willem
davidekholm

Posts: 3,442
Registered: 18-Oct-2002
Re: Can't connect. Server reported: Algorithem negotiation fail
Posted: 18 Oct 22, 12:13   in response to: swaggie in response to: swaggie
 
  Click to reply to this thread Reply
Sounds good!
swaggie

Posts: 13
Registered: 22-Jul-2015
Re: Can't connect. Server reported: Algorithem negotiation fail
Posted: 4 Nov 22, 12:18   in response to: davidekholm in response to: davidekholm
 
  Click to reply to this thread Reply
Hi David,

I have requested the ISP where my webspace is hosted to upgrade the ciphers and also given them the 2 .jar files so they could see what needs to be upgraded.
But they let me know that the .jar files do not show the cipher revisions used and the filenames do not correspond with cipher revisions either. So they asked me to get the correct cipher revision from you.

Could you please let me know the minimal revision of the cipher which is needed to function correctly with jAlbum 29 and higher?

Kind regards, Willem
davidekholm

Posts: 3,442
Registered: 18-Oct-2002
Re: Can't connect. Server reported: Algorithem negotiation fail
Posted: 4 Nov 22, 16:05   in response to: swaggie in response to: swaggie
 
  Click to reply to this thread Reply
I don't know how to obtain that info, but I'll provide the cipher negotiation logs for a working and failing negotiation here. Perhaps that will shed some light into what details to adjust:

Working negotiation (older jAlbum version):
Cipher algorithm negotiation ok. Agreeing on aes128-ctr:
 
 
INFO: kex: server: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,rsa1024-sha1
INFO: kex: server: ssh-rsa,ssh-dss
INFO: kex: server: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,blowfish-ctr,blowfish-cbc,cast128-cbc,arcfour256,arcfour128,3des-ctr,3des-cbc
INFO: kex: server: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,blowfish-ctr,blowfish-cbc,cast128-cbc,arcfour256,arcfour128,3des-ctr,3des-cbc
INFO: kex: server: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,umac-64@openssh.com,umac-128@openssh.com
INFO: kex: server: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,umac-64@openssh.com,umac-128@openssh.com
INFO: kex: server: zlib@openssh.com,zlib,none
INFO: kex: server: zlib@openssh.com,zlib,none
INFO: kex: server: 
INFO: kex: server: 
INFO: kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
INFO: kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: none
INFO: kex: client: none
INFO: kex: client: 
INFO: kex: client: 
INFO: kex: server->client aes128-ctr hmac-md5 none
INFO: kex: client->server aes128-ctr hmac-md5 none
INFO: SSH_MSG_KEX_ECDH_INIT sent
INFO: expecting SSH_MSG_KEX_ECDH_REPLY
INFO: ssh_rsa_verify: signature true


Failing negotiation (jAlbum 29):
INFO: kex: server: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,rsa1024-sha1
INFO: kex: server: ssh-rsa,ssh-dss
INFO: kex: server: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,blowfish-ctr,blowfish-cbc,cast128-cbc,arcfour256,arcfour128,3des-ctr,3des-cbc
INFO: kex: server: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,blowfish-ctr,blowfish-cbc,cast128-cbc,arcfour256,arcfour128,3des-ctr,3des-cbc
INFO: kex: server: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,umac-64@openssh.com,umac-128@openssh.com
INFO: kex: server: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,umac-64@openssh.com,umac-128@openssh.com
INFO: kex: server: zlib@openssh.com,zlib,none
INFO: kex: server: zlib@openssh.com,zlib,none
INFO: kex: server: 
INFO: kex: server: 
INFO: kex: client: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
INFO: kex: client: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
INFO: kex: client: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
INFO: kex: client: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
INFO: kex: client: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
INFO: kex: client: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
INFO: kex: client: none
swaggie

Posts: 13
Registered: 22-Jul-2015
Re: Can't connect. Server reported: Algorithem negotiation fail
Posted: 10 Nov 22, 14:41   in response to: swaggie in response to: swaggie
 
  Click to reply to this thread Reply
It looks like this cipher security issue is not as straightforward as just stating the webhosting serves needs to use the latest version of ciphers.
Isn't it possible for jAlbum to just state the minimal requirement for hosting a jAlbum website which includes connecting from within jAlbum to the webhost?

The, translated, reply from my ISP:
"The given data is not exactly what we asked for but we found the following.

Both the successful as the unsuccessful connection uses the 'aes128-ctr' security which is supported on our webhosting servers.

To further verify the connection ciphers, to see what we do and do not allow, we really need the whole list of ciphers."

Regards, Willem
davidekholm

Posts: 3,442
Registered: 18-Oct-2002
Re: Can't connect. Server reported: Algorithem negotiation fail
Posted: 10 Nov 22, 16:59   in response to: swaggie in response to: swaggie
 
  Click to reply to this thread Reply
Hi. There is now an updated jsch library available that will clearly tell why the negotiation failed. An error can look like this for instance:
Can't connect. Server reported: Algorithm negotiation fail:
algorithmName="server_host_key"
jschProposal="ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256"
serverProposal="ssh-rsa,ssh-dss"
In this case, the "ssh-rsa" algorithm has been disabled as it is judged insecure , hence the error.

To install this update, grab the file linked above and put it inside jAlbum's "lib" folder and delete the older "jsch-0.2.3.jar" file there. Now restart jAlbum and try to connect.

I've also updated jAlbum 29 to v29.1.5. This version has re-enabled the old "ssh-rsa" algorithm that caused my test to fail, and perhaps will help you too. To get v29.1.5 open jAlbum, then select Tools->External tools->"jAlbum core update"
swaggie

Posts: 13
Registered: 22-Jul-2015
Re: Can't connect. Server reported: Algorithem negotiation fail
Posted: 11 Nov 22, 18:05   in response to: swaggie in response to: swaggie
 
  Click to reply to this thread Reply
Hi, I have chosen to do the core update to 29.1.5, which is working for me.

This new update goes back from jsch-0.2.3.jar to the old version jsch-0.1.54.jar. Does that mean that new updates will stick to the old version until there is a version which works in both situations?
davidekholm

Posts: 3,442
Registered: 18-Oct-2002
Re: Can't connect. Server reported: Algorithem negotiation fail
Posted: 12 Nov 22, 11:29   in response to: swaggie in response to: swaggie
 
  Click to reply to this thread Reply
swaggie wrote:
Hi, I have chosen to do the core update to 29.1.5, which is working for me.

This new update goes back from jsch-0.2.3.jar to the old version jsch-0.1.54.jar. Does that mean that new updates will stick to the old version until there is a version which works in both situations?


With v29.1.5 you can use either the old or (preferred) new jsch library. Both works now.
swaggie

Posts: 13
Registered: 22-Jul-2015
Re: Can't connect. Server reported: Algorithem negotiation fail
Posted: 12 Nov 22, 11:49   in response to: davidekholm in response to: davidekholm
 
  Click to reply to this thread Reply
"With v29.1.5 you can use either the old or (preferred) new jsch library. Both works now."

Sorry, but it is not really clear for me. Do you mean that newer versions, v29.1.5 and higher, will not replace the currently used jsch library?

Edit:
After writing the above I did try the latest new jsch library (jsch-0.2.4.jar) to get the errors. But to my surprise there is no error anymore and the connect works fine......?
Or there is something more changed in this new version or my ISP has updated the libraries?

Edited by: swaggie on 12 Nov 2022, 11:58
davidekholm

Posts: 3,442
Registered: 18-Oct-2002
Re: Can't connect. Server reported: Algorithem negotiation fail
Posted: 13 Nov 22, 16:57   in response to: swaggie in response to: swaggie
 
  Click to reply to this thread Reply
swaggie wrote:
"With v29.1.5 you can use either the old or (preferred) new jsch library. Both works now."

Sorry, but it is not really clear for me. Do you mean that newer versions, v29.1.5 and higher, will not replace the currently used jsch library?

Edit:
After writing the above I did try the latest new jsch library (jsch-0.2.4.jar) to get the errors. But to my surprise there is no error anymore and the connect works fine......?
Or there is something more changed in this new version or my ISP has updated the libraries?

Edited by: swaggie on 12 Nov 2022, 11:58


It's most likely works now as we've re-enabled the old outdated "ssh-rsa" encryption algorithm again. We've told the "jsch" library to activate this encryption algorithm again. With v 0.2.4, it was disabled by default.
swaggie

Posts: 13
Registered: 22-Jul-2015
Re: Can't connect. Server reported: Algorithem negotiation fail
Posted: 13 Nov 22, 18:11   in response to: davidekholm in response to: davidekholm
 
  Click to reply to this thread Reply
It's most likely works now as we've re-enabled the old outdated "ssh-rsa" encryption algorithm again. We've told the "jsch" library to activate this encryption algorithm again. With v 0.2.4, it was disabled by default.

I guess you mean with v0.2.3 it was disabled by default and with v0.2.4 the outdated "ssh-rsa" encryption algorithm has been re-enabled.
So now v.0.2.4 has better error messages but as it also accept the old outdated "ssh-rsa" encryption algorithm I will not get the better error messages, as it does not fail..........

If it keep working like this, accepting the old outdated "ssh-rsa" encryption algorithm, I am fine with the solution. Even now I can not convince my ISP to upgrade ;-)
davidekholm

Posts: 3,442
Registered: 18-Oct-2002
Re: Can't connect. Server reported: Algorithem negotiation fail
Posted: 14 Nov 22, 16:54   in response to: swaggie in response to: swaggie
 
  Click to reply to this thread Reply
swaggie wrote:
It's most likely works now as we've re-enabled the old outdated "ssh-rsa" encryption algorithm again. We've told the "jsch" library to activate this encryption algorithm again. With v 0.2.4, it was disabled by default.

I guess you mean with v0.2.3 it was disabled by default and with v0.2.4 the outdated "ssh-rsa" encryption algorithm has been re-enabled.


No. I mean what I wrote :-) v0.2.4 "only" has better error reporting should this error occur again.
swaggie

Posts: 13
Registered: 22-Jul-2015
Re: Can't connect. Server reported: Algorithem negotiation fail
Posted: 16 Nov 22, 14:44   in response to: davidekholm in response to: davidekholm
 
  Click to reply to this thread Reply
davidekholm wrote:
swaggie wrote:
It's most likely works now as we've re-enabled the old outdated "ssh-rsa" encryption algorithm again. We've told the "jsch" library to activate this encryption algorithm again. With v 0.2.4, it was disabled by default.

I guess you mean with v0.2.3 it was disabled by default and with v0.2.4 the outdated "ssh-rsa" encryption algorithm has been re-enabled.

No. I mean what I wrote :-) v0.2.4 "only" has better error reporting should this error occur again.


ah ok, even better. v.0.2.4 is working fine for me so looks like problem solved.
Legend
Forum admins
Helpful Answer
Correct Answer

Point your RSS reader here for a feed of the latest messages in all forums