Connection errors: Server: Redhat 8 + OpenSSH_8.0p1 server + FIPS Client: edtFTPnet/PRO 9.4.0.40

Question

Hello,

We have upgrade our SFTP server to Redhat 8 with OpenSSH_8.0p1 server
+ FIPS is enabled as part of DoD compliance.

Our partner uploads data to us and they use  edtFTPnet/PRO 9.4.0.40.

They can no longer connect to our SFTP server, we are seeing errors:
no matching host key type found. Their offer: ssh-dss,ssh-rsa

As best as I can tell, the culprit here is FIPS on our server, but we cannot disable FIPS, or we will be out of compliance with DoD security.

This worked fine with Redhat 6 as the server and edtFTPnet/PRO 9.4.0.40 as the client, but that is most likely because Redhat 6 had looser security controls and ciphers.

My understanding is that "ssh-dss,ssh-rsa" implies SHA-1 signatures, which FIPS will not allow.

Can you tell us if the user who uses edtFTPnet/PRO 9.4.0.40 as their client software:
1) needs to upgrade edtFTPnet/PRO
2) needs to generate a new keypair

3) both?
4) Some other problem?

Thanks!

Answer 1

Hi,

I do not think it is FIPS compliance, as FIPS compliance validates that an encryption solution meets a specific set of requirements designed to protect the cryptographic module from being  altered or tampered with. If the correct procedures are followed by the client using edtFTPnet/PRO and the correct algorithms, key methods and ciphers are used, it should be possible to resolve this. One thing i have just noticed is that the latest version of edtFTPnet/PRO includes the following changes. I would advise the client to upgrade to the latest version so that they have eliminated the possibility that they are using the outdated version (version 9.4.0.) as the cause for the issue. If after updating they still experience issues, then please get the client to contact us directly so that we can resolve this.
The updated revisions include:

Version 10.0.0 (16 September, 2021)	Support new OpenSSH private key format for reading private keys. Support SHA384 in TLS. Fix UseUnencryptedData bug. Introduce MaxQueuedReadRequests to allow switching off pipelining of SSH requests. Introduce MaxQueuedReadRequests to allow switching off pipelining of SSH requests.
Version 9.9.0 (3 March, 2021)	Add property to disable the extended master secret security feature for servers that do not support it. Add download workaround for SFTP servers that return a 0 file size (symptom was downloaded files were zero size). Add fix for SFTP servers that cannot cope with pipelined downloads, resulting in downloaded files that are corrupted.
Version 9.8.0 (6 January, 2021)	Add support for .NET CORE 3.1.
Version 9.7.0 (28 September, 2020)	Add support for ECDSA host keys (ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521). Add support for ECDH SHA2 key exchanges (ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521). Add support for ECDSA private keys (ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521).
Version 9.6.0 (25 October, 2019)	Substantially improve download speed for most SFTP transfers. See SSHMaxQueuedReadRequests property. Fix SFTP ConsumeWindowSpace issue. Add TCPBufferSize property. This allows setting of the socket read and write buffer sizes (Windows equivalent to SO_RCVBUF/SO_SNDBUF). The default should generally be used.
Version 9.5.1 (10 September, 2019)	Fix issue "The data was not signed by the server certificate" in TLS 1.0/1.1. Only occurred when building with > .NET 4 framework as a target. Fix issue where trial key was not being created correctly.
Version 9.5.0 (15 June, 2019)	Add AES Galois Counter Mode (GCM) cipher suites to TLS. Fix issue where exception thrown in HTTP transfer if transferParams set to null. Fix compatibility issue with servers that send a fragmented initial version string.