Tutorial - Use a Legacy Encryption Algorithm for an SFTP Partner

Owned by
Stonebranch
Last updated: Nov 22, 2022 by
Olivier Michaut
2 min read

In this tutorial, you will:

  • Allow the configuration of SFTP servers and partners with the legacy SFTP algorithms 
  • Configure an SFTP partner to explicitly enable the use of a legacy cipher algorithm.

Step 1

Edit the UDMG Server configuration file and set the AllowLegacyCiphers parameter to true:

[sftp]
; Set to true to allow legacy and weak cipher algorithms: 3des-cbs,aes128-cbc,arcfour,arcfour128,arcfour256
AllowLegacyCiphers = true

Step 2

Restart the MFT Waarp Gateway linux service. The legacy ciphers are globally allowed but not used by default.

systemctl restart mft_waarp_gateway
Step 3Login to UDMG Admin UI and navigate to Management > Partners
Step 4

Create a new partner wftpserver with the address demo.wftpserver.com and port 2222

Step 5

With a specific tool or with the verbose mode of sftp client, check what are the algorithm that the rmote partner is supporting for cipher algorithms.

For example, with a linux sftp (OpenSSH_7.4p1): 

$ sftp -vv -c aes128-cbc -P 2222 demo.wftpserver.com 2>&1 |grep -A 6 'server KEXINIT proposal' |grep -v stoc
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,chacha20-poly1305@openssh.com
debug2: MACs ctos: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com

This shows that several algorithms are supported for each category and especially the legacy ciphers 'aes128-cbc' and '3des-cbc'.

Step 6

On the UDMG Server panel, click on the Configuration tab.

The gray dot on the tab shows that configuration is still the default, all available algorithms are supported by the server and proposed to the clients.

  • In the Encryption Algorithms dropdown list, pick aes128-cbc.

  • In the MAC algorithms, select hmac-sha2-256 (this is to disable the hmac-sha2-256-etm@openssh.com, that would be enabled otherwise)

    Note: the MAC algorithm hmac-sha2-256-etm@openssh.com is not compatible with the CBC encryption algorithms (aes128-cbc, 3des-cbc).

    Transfer attempts for such a combination of algorithms will raise an error 'Error on remote partner: ssh: handshake failed: ssh: packet too large'.

Step 7Click Save and Confirm.

Step 8

The partner configuration is updated, The green dot on the tab shows that the configuration is customized.