No announcement yet.

JSCH offering less secure ciphers first

  • Filter
  • Time
  • Show
Clear All
new posts

  • JSCH offering less secure ciphers first

    I have an issue with an SFTP connection not connecting from Mirth, but connects correctly from FileZilla on the same server.

    When I watch the traffic with WireShark, I see that the Mirth connection offers the Algorithms in "Mirth Algorithm client to server.JPG" with the less secure ciphers first.

    The client and server seem to agree on encryption:aes128-ctr mac:hmac-sha1 compression:none and send several Encrypted Packets, but then the server sends a FIN and RST Packet and closes the connection.

    When I try to Test the connection, Mirth shows the Warning:
    Unable to connect to: sftp://{server}/{Directory}, Reason: SSH_MSG_DISCONNECT: 11 Bye Bye
    Unable to connect to: sftp://{server}/{Directory}, Reason: connection is closed by foreign host

    I found a similar forum entry that says to add the port number. I tried that as well, but still get the same response.

    When FileZilla makes the connection from the same server, it offers the more secure algorithms first see (FileZilla Algorithm client to server.JPG), and the connection is made with aes256-ctr mac:sha2-256 compression:none, and communicates correctly with the server.

    I have also tried these other items: port not entered issue. Tried with and without with the same issues. upgrade to Mirth 3.5, but I am already at 3.8.1 upgrade to the newest version of Java. Loaded AdoptOpenJDK on a test server, but having the same issues. upgrade to the latest version of JSCH. Tried jsch-0.1.55.jar, but still have same results Tried several option on HostKeyChecking. I believe it did add the new host key, but still hasn’t allowed the connection. Tried the Group Policy editor to change the SSL Cipher Suite Order and remove the AES-128 Cipher Suites but they are still offered by JSCH in the same order. Forum on how the connection is made. used IISCrypto to limit the Protocols, Ciphers, Hashes on this server, but JSCH still uses the same ones. This changes SCHANNEL Registry keys. said the server should be limiting the ciphers that are allowed
    I tried adding the Java Unlimited Strength Jurisdiction Policy Files, but not sure if that actually applied or not.

    Thanks for any help.
    Attached Files
    Last edited by brucem; 12-19-2019, 07:10 AM.

  • #2
    Who owns the server? Do they have logging that can tell you why it's ending the connection?


    • #3
      An outside Vendor owns the server. It appears to be a WingFTP Server. I asked their support guy if they had logging for why it ended the connection.