WinSCP plugin - "Couldn't agree a key exchange algorithm"

[ivank]

Hello,
after upgrading OpenSSL on the server to the version 1.1.1g 21 Apr 2020, there is no way to connect there with Altap's WinSCP plugin.

You can see the error message over here.

error.png (8.17 KiB) Viewed 27358 times

Thank you,
Ivan

[ivank]

Regarding of these pages https://github.blog/2017-02-27-crypto-d ... on-notice/ is diffie-hellman-group1-sha1 not safe.

The Logjam Attack research released in 2015 noted some key exchange algorithms were subject to an attack and should be disabled. In particular, they encouraged all system administrators to disable support for the diffie-hellman-group1-sha1 key exchange algorithm.

Also these pages https://tools.ietf.org/id/draft-ietf-cu ... ection.3.5 writing about diffie-hellman-group1-sha1.

This method uses [RFC7296] Oakley Group 2 (a 1024-bit MODP group) and SHA-1 [RFC3174]. Due to recent security concerns with SHA-1 [RFC6194] and with MODP groups with less than 2048 bits (see [LOGJAM] and [NIST-SP-800-131Ar1]), this method is considered insecure.

Is there any workaround?

Thank you,
Ivan K.

[tukanos]

Well the issue is for both OpenSSL and OpenSSH. OpenSSH will block rsa-sha1 in near future too.

I think the only way is to get a new *winscp.spl* addon library from the developers, which would support the new key exchange algorithm. Since there is currently no official support or source codes, you can only ask the former developers to compile it for us or publish the source code.

[crystalidea]

Same problem with Ubuntu 20.04

[tukanos]

Same problem with Ubuntu 20.04

The issue will be everywhere till new spl will be provided.

[tukanos]

The solution is to use the TC sftp plugin.

[Tigerente]

The solution is to use the TC sftp plugin.

Yes, YMMD! Thank you.