tracker issue : CF-4014234

select a category, or use search below
(searches all categories and all time range)
Title:

CFFTP to S-FTP server raises error "Algorithm negotiation fail"

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/Fixed

Reporter/Name(from Bugbase): Andrew O / Andrew O (Andrew O)

Created: 06/29/2015

Components: Net Protocols, sFTP

Versions: 11.0

Failure Type:

Found In Build/Fixed In Build: CF11_Final / 303936

Priority/Frequency: Major / All users will encounter

Locale/System: English / Win 2012 Server x64

Vote Count: 14

Listed in the version 2016.0.06.308055 Issues Fixed doc 
Problem Description:

When using CFFTP to connect to some S-FTP server, the during the connect phase, error "Algorithm negotiation fail" is returned.

Suspect that this is caused by non-support of the S-FTP encryption or hashing protocols by the current JSCH jar library used (which is jsch-0.1.44m.jar). From the class list it does not seem that HMAC-SHA-256 is supported.

The trace from Filezilla Client reveals this protocol:
Trace:	We claim version: SSH-2.0-PuTTY_Local:_Jun__2_2015_17:18:05
Trace:	Server version: SSH-2.0-OpenSSH_6.6p2-hpn14v4
Trace:	We believe remote version has SSH-2 channel request bug
Trace:	Using SSH protocol version 2
Trace:	Doing ECDH key exchange with hash SHA-256
Trace:	Host key fingerprint is:
Trace:	ecdsa-sha2-nistp256 9c:3c:30:ad:07:b5:de:63:4a:8e:32:d6:28:19:46:e6
Trace:	Initialised AES-256 SDCTR client->server encryption
Trace:	Initialised HMAC-SHA-256 client->server MAC algorithm
Trace:	Initialised AES-256 SDCTR server->client encryption
Trace:	Initialised HMAC-SHA-256 server->client MAC algorithm

Note: I have already enabled/replaced the policy.jar files with the unlimited strength ones - the error still occurs.


Steps to Reproduce:

- Setup S-FTP server with SHA-256 and HMAC-SHA-256, AES-256 SDCTR protocols.
- Run CFFTP to connect.

Actual Result:

- Algorithm negotiation fail error

Expected Result:

- Successful connection

Any Workarounds:

- None

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4014234

External Customer Info:
External Company:  
External Customer Name: Andrew
External Customer Email:  
External Test Config: My Hardware and Environment details:

Windows Server 2012 R2, CF 11,0,05,293506 64 bit.

Attachments:

  1. June 26, 2017 00:00:00: jsch-0.1.52m.jar

Comments:

I am having same result. This bug was reported on 6/29/15. Are there any workarounds, progress on fixing the bug, etc?
Comment by External U.
6841 | September 08, 2015 11:17:13 AM GMT
Hi Eric, As you have specified the JSCH jar library in ColdFusion does not list the HMAC-SHA-256 hashing protocol. I was trying to verify this issue with FreeSSHD SFTP Server as well as Core SFTP Client server, where I was trying to set it up with the above specified protocols under the encryption methods/allowed ciphers. And I did not find the option of HMAC-SHA-256 hashing protocol. Are you using any other SFTP Server client or am I missing something here? Thanks!
Comment by S P.
6842 | November 23, 2015 10:30:39 PM GMT
Since there has been no response wrt this issue, closing the bug for now. If this issue exists, do let us know, will reopen the bug. Thanks!
Comment by S P.
6843 | May 26, 2016 02:55:57 AM GMT
Can you let us know, the CF version?
Comment by Anit K.
6844 | December 21, 2016 10:04:25 AM GMT
Same issue happening for me. We have a scheduled task that uses <cfftp> to send file to a vendor's SFTP server. they recently switched to accept SHA-2 encryption only and now the <cfftp> call fails with the exact same error. ColdFusion 11,0,11,301867 (update 11)
Comment by Hana H.
6845 | January 11, 2017 04:42:59 PM GMT
We're running into the same issue on ColdFusion 11.... 11,0,11,301867 . We downloaded and tested an install of 2016 and it works as expected. Will this issue be re-opened and CF11 updated? Thanks!
Comment by Brent R.
6846 | January 26, 2017 05:12:59 PM GMT
Seriously this need to be fixed!!! and as others have noted this fails on CF11 and works on CF2016.
Vote by Wil G.
6865 | April 18, 2017 05:38:34 PM GMT
This is now a critical client issue as they upgraded their security. Fix needed for CF11.
6866 | April 18, 2017 05:46:28 PM GMT
We have a provable test case that fails every time due to this bug. CF11 11,0,11,301867. I've tested this on a dev version of CF2016 and it works there so there is definitely a difference in ColdFusion between versions.
Comment by Wil G.
6847 | April 18, 2017 05:56:52 PM GMT
Please fix this!! My scheduled task is failing.
Vote by Kathryn B.
6867 | April 18, 2017 06:03:06 PM GMT
Absolutely irresponsible to close a bug just because someone did not reply to it particularly as unreliable as notifications are! Nothing should be more important to fix than issues related to keeping our servers secure. The bug report even HAD the information on what version this was in, there is NO EXCUSE for closing this without even trying to reproduce it. FIX THE BUG.
Vote by Mary J.
6868 | April 18, 2017 06:24:50 PM GMT
How can the reason code be "NotABug" obviously its not working as it should... Did you do it on purpose? Fix it!
Vote by Aaron G.
6869 | April 18, 2017 11:03:33 PM GMT
This bug needs to be fixed on CF11 as soon as possible. We are encountering it with more and more users.
Comment by Andrew O.
6848 | April 19, 2017 02:55:58 AM GMT
Your team has as much information as I have and I can reproduce the issue. The two lines of code I provided are all you need. The code fails on CF11 and works on CF2016. Thus there is a difference between how CF11 and CF2016 are handling sFTP. I decided to do my own comparison. CF11 and CF2016 is using JSch for Secure Channel FTP. CF11 has jsch-0.1.44m.jar and CF2016 has jsch-0.1.52m.jar. I copied the newer version into the lib folder for CF11 and retested with CF11 after restarting. Now, when using CF11 the sFTP connection works. There’s your issue.
Comment by Wil G.
6849 | April 19, 2017 05:10:56 PM GMT
Any response? Anyone?
Comment by Wil G.
6850 | April 20, 2017 05:12:52 PM GMT
Just wanted to mentioned I used Wil Genovese's solution and SFTP to the site that is using SHA2 is working now. I found a copy of jsch-0.1.52m.jar, copied it over to the coldfusion /lib folder and restarted ColdFusion. Worked like a charm. Thanks Wil
Comment by Hana H.
6851 | April 21, 2017 03:35:26 AM GMT
The reason for this issue was figured out and is in the Tofix state. But there was another bug for the same issue which got retained and this bug got closed as duplicate of that. Reopening this bug and closing the other bug. Thanks!
Comment by S P.
6852 | April 26, 2017 09:44:03 AM GMT
I note this has been reflagged as "To fix", but no actual recent input from Adobe. What's the timeframe for this?
Comment by Adam C.
6853 | April 26, 2017 01:45:51 PM GMT
Where did you all find this elusive updated jar file? I am not finding it anywhere, although I do see the jsch-0.1.52.jar all over the place.
Comment by Cathy W.
6854 | May 08, 2017 03:13:59 PM GMT
Cathy, I found it bundled with ColdFusion 2016. C:\ColdFusion2016\cfusion\lib\jsch-0.1.52m.jar Regards, Wil
Comment by Wil G.
6855 | May 08, 2017 04:40:44 PM GMT
That's what I was afraid of, Wil. I don't have access to a ColdFusion2016 install.
Comment by Cathy W.
6856 | May 08, 2017 04:41:57 PM GMT
Cathy, anyone can download and install the FREE CF2016 Developer edition from Adobe.
Comment by Wil G.
6857 | May 08, 2017 04:44:27 PM GMT
Aha! You're the best. I'll go grab it now.
Comment by Cathy W.
6858 | May 08, 2017 05:22:43 PM GMT
Almost at the 2 year anniversary... still not fixed. The solution proposed by Wil Genovese works. I have not found any side effects of upgrading the library but if I encounter any I'll report back to this thread.
Comment by David K.
6859 | June 26, 2017 02:31:13 PM GMT
It's not as if Adobe has to rewrite any code. It's a simple matter of including the new jar file. Yet, that is too much to ask of Adobe.
Comment by Wil G.
6860 | July 28, 2017 05:45:08 PM GMT
@All - This is fixed and is currently being tested. We will roll this out in the next bug-fix update cycle.
Comment by Vamseekrishna N.
6861 | July 29, 2017 03:15:54 AM GMT
Given that CF11 Update 13 and CF2016 Update 5 were both security updates, this fix was now be made available in the next bug-fix update release cycle for 11.0 and 2016.
Comment by Vamseekrishna N.
6862 | September 14, 2017 04:14:23 PM GMT
Sure, why not. You've already punted on this issue that affects so many of us for two whole YEARS, what's another few months, right? Most of us would consider the fact that you are hamstringing the ability to use SFTP a SECURITY issue. Anything that prevents developers from using the latest security protocols should be a PRIORITY to fix. Not a maybe someday when we get around to it, if we feel like it and only if you do the work and find the fix for it.
Comment by Mary J.
6863 | September 14, 2017 04:57:28 PM GMT
Has this been addressed yet? I'm assuming yes since it says fixed, but I'm still getting errors (unless I replace the file manually). Maybe my CF updater isn't working correctly?
Comment by Jeff C.
6864 | February 03, 2018 10:07:32 AM GMT