SV: SSH/SFTP - DH_GEX group out of range

Wed, 25 Apr 2012 06:17:25 -0700 

Why did my message become base64 encoded ?

Vennlig hilsen
Daniel Bjørnådal Johansen
IT Konsulent, ITO Card Services

-----Opprinnelig melding-----
Fra: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
På vegne av Johansen Daniel
Sendt: 25. april 2012 14:39
Til: openssl-users@openssl.org
Emne: SSH/SFTP - DH_GEX group out of range

Hi.

Having this weird problem when connecting to a SFTP server.

Client Debug:

sftp -vvvv -oport=2222 -F /usr/local/etc/ssh_config <removed>@<removed> 
OpenSSH_5.9p1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: /usr/local/etc/ssh_config line 1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to <removed> [<removed>] port 2222.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/<removed>/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/<removed>/.ssh/id_rsa type 1
debug1: identity file /home/<removed>/.ssh/id_rsa-cert type -1
debug1: identity file /home/<removed>/.ssh/id_dsa type -1
debug1: identity file /home/<removed>/.ssh/id_dsa-cert type -1
debug1: identity file /home/<removed>/.ssh/id_ecdsa type -1
debug1: identity file /home/<removed>/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version <removed>
debug1: no match: <removed>
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug2: fd 3 setting O_NONBLOCK
debug3: put_host_port: [<removed>]:2222
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: 
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: 
ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: 
diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
debug2: kex_parse_kexinit: ssh-dss,ssh-rsa
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP DH_GEX group out of range: 1024 !< 
1020 !< 8192 Couldn't read packet: Connection reset by peer

As you can see in the end, the error: DH_GEX group out of range: 1024 !< 1020 
!< 8192 shows.

When we grabbed the package and decoded it in Wireshark, we found that the key 
being sent was 1032 bit long, not 1020 as the client debug indicates.
And the request for terminating the session is done by the client, not the 
server.

ssh_config looks like this:

Host *
SendEnv LANG LC_*
HashKnownHosts yes

We have spent countless hours on this problem, and are desperate on a solution.
Since im not in control of the client, only the server, I can only say what the 
customer tell me.

Operating system is unix/linux but exactly which, I don’t know.

I can mention that this error only occurs with this customer, and no one else.
And the customer claims that this error only occurs towards us, and no one else.

Anyone have a clue on what this could be ?
Google will not help me on this one ☹

Best regards
Daniel Bjørnådal Johansen
IT Consultant, ITO Card Services


:  I"Ϯ  r m    
(   Z+ K +    1   x
  h   [ z (   Z+ 
  f y      f   h  )z{,

Reply via email to