cancel
Showing results for 
Search instead for 
Did you mean: 

SFTP Connection and Encryption Algorithms

alex_panganiban
Contributor

After the August 2023 upgrade, our SFTP connections started failing due to the deprecation of some default signature protocols. I believe this happened with the 4.33 GA release. To get around this issue, we updated our snaplex node properties to include the jcc.jvm_option at the bottom of this message. Once we put this jvm_option in place, we were able to successfully connect with our partner SFTP server.

Since then, we have been working with our partners to have them update their SFTP key exchanges. We have one partner left that we still cannot connect with when we remove the jvm_option and use the default protocols that SnapLogic provides. 

Here are log snippets from our partner when we include the option and when we remove the option. Can you advise me on what I can recommend to our partner so that we can remove the jvm_option and be able to connect with them successfully?

jcc.jvm_options

-Dsftp.server_host_key=ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 -Dsftp.client_pubkey=ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 -Dsftp.kex=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group18-sha512,ext-info-c -Dsftp.check_kexes=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

Log when override is implemented and a successful connection is established

alex_panganiban_0-1718295327418.png

Log when override is removed and a successful connection cannot be established

alex_panganiban_1-1718295429838.png

 

1 REPLY 1

ddellsperger
Employee
Employee

Unfortunately the SFTP negotiation is a bit cryptic (especially from the dataplane side), the easiest way to figure out specifically what the snap is seeing is to enable the JSCH logging (you'll need to add this to your jcc.jvm_options as well of -DenableJschLogger=True and to then check the log output from the jcc itself those files will contain "JschLogger.java" as the file and will provide the full negotiation details (server and client side). There's also logging in the jcc that indicates what the original pieces were and what the override properties being added were. If you're still facing further issues, please reach out to support they will connect with you to help debug further (and potentially increase the scope to pull in dev as necessary).