Hi. I use SFTP plugin, for secure connections to linux servers.
The servers are set with pretty strong algorithms, so I can't connect. I have already found out that the Chiper value is not correct for the plugin. Currently these are the settings on the servers:
- chacha20-poly1305@openssh.com
- aes256-gcm@openssh.com
Which Chiper is supported by this plugin? Where can I check this?
SFTP 3.05 plugin Chipers questions
Moderators: Hacker, petermad, Stefan2, white
-
ghisler(Author)
- Site Admin
- Posts: 50386
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
Re: SFTP 3.05 plugin Chipers questions
I'm using libssh2 from https://libssh2.org/
According to the above page, aes256-gcm@openssh.com is supported, while chacha20-poly1305@openssh.com isn't.
According to that page, the strongest exchange method supported is diffie-hellman-group-exchange-sha256.
But the page is out of date, it also supports the following more secure methods:
curve25519-sha256@libssh.org
curve25519-sha256
ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
I would use one of the curve25519 methods for now.
According to the above page, aes256-gcm@openssh.com is supported, while chacha20-poly1305@openssh.com isn't.
According to that page, the strongest exchange method supported is diffie-hellman-group-exchange-sha256.
But the page is out of date, it also supports the following more secure methods:
curve25519-sha256@libssh.org
curve25519-sha256
ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
I would use one of the curve25519 methods for now.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
Re: SFTP 3.05 plugin Chipers questions
Unfortunately there is no compiled libssh2.dll on that page.
And I cannot compile it myself.
And I cannot compile it myself.
Re: SFTP 3.05 plugin Chipers questions
The libssh2.dll is part of the SFTP plugin package/archive (sftpplug.zip). Ghisler just mentioned the source where he got it from and what its features are.
#101164 Personal licence
Ryzen 5 2600, 16 GiB RAM, ASUS Prime X370-A, Win7 x64
Plugins: Services2, Startups, CertificateInfo, SignatureInfo, LineBreakInfo - Download-Mirror
Ryzen 5 2600, 16 GiB RAM, ASUS Prime X370-A, Win7 x64
Plugins: Services2, Startups, CertificateInfo, SignatureInfo, LineBreakInfo - Download-Mirror
-
ghisler(Author)
- Site Admin
- Posts: 50386
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
Re: SFTP 3.05 plugin Chipers questions
2Shyciii
Please make sure you got the latest plugin version 3.10 beta 5, it includes a newer libssh2 dll:
https://www.totalcommander.ch/beta/sftpplug310b5.zip
The encryption method isn't the only algorithm which must match between client and server. There are actually multiple which must be present on both sides:
1. Key exchange methods (kex algorithms): These are used to exchange encryption keys in a way that an eavesdropper can't steal them. See my list above. Please make sure your servers support at least one of them.
2. Server host key algorithms: These are used for the server certificate to prove that the server is who he claims he is. The following are supported:
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
rsa-sha2-256
rsa-sha2-512
ssh-rsa-cert-v01@openssh.com
ssh-rsa
ssh-dsa
3. The encryption algorithms: These are used to encrypt the actual data sent over the line. We already confirmed that aes256-gcm@openssh.com is supported.
4. Mac algorithms: These are used to verify that the sent data is unmodified:
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha1
hmac-sha1-etm@openssh.com
hmac-sha1-96
hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
Please make sure you got the latest plugin version 3.10 beta 5, it includes a newer libssh2 dll:
https://www.totalcommander.ch/beta/sftpplug310b5.zip
The encryption method isn't the only algorithm which must match between client and server. There are actually multiple which must be present on both sides:
1. Key exchange methods (kex algorithms): These are used to exchange encryption keys in a way that an eavesdropper can't steal them. See my list above. Please make sure your servers support at least one of them.
2. Server host key algorithms: These are used for the server certificate to prove that the server is who he claims he is. The following are supported:
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
rsa-sha2-256
rsa-sha2-512
ssh-rsa-cert-v01@openssh.com
ssh-rsa
ssh-dsa
3. The encryption algorithms: These are used to encrypt the actual data sent over the line. We already confirmed that aes256-gcm@openssh.com is supported.
4. Mac algorithms: These are used to verify that the sent data is unmodified:
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha1
hmac-sha1-etm@openssh.com
hmac-sha1-96
hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
Re: SFTP 3.05 plugin Chipers questions
Thx. I tried it with beta 5, but doesnt work. Work only if I set Ciphers aes256-ctr (on server side) too.ghisler(Author) wrote: 2025-04-17, 07:01 UTC 2Shyciii
Please make sure you got the latest plugin version 3.10 beta 5, it includes a newer libssh2 dll:
https://www.totalcommander.ch/beta/sftpplug310b5.zip
The encryption method isn't the only algorithm which must match between client and server. There are actually multiple which must be present on both sides:
1. Key exchange methods (kex algorithms): These are used to exchange encryption keys in a way that an eavesdropper can't steal them. See my list above. Please make sure your servers support at least one of them.
2. Server host key algorithms: These are used for the server certificate to prove that the server is who he claims he is. The following are supported:
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
rsa-sha2-256
rsa-sha2-512
ssh-rsa-cert-v01@openssh.com
ssh-rsa
ssh-dsa
3. The encryption algorithms: These are used to encrypt the actual data sent over the line. We already confirmed that aes256-gcm@openssh.com is supported.
4. Mac algorithms: These are used to verify that the sent data is unmodified:
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha1
hmac-sha1-etm@openssh.com
hmac-sha1-96
hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
I use server side config:
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-
ghisler(Author)
- Site Admin
- Posts: 50386
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
Re: SFTP 3.05 plugin Chipers questions
I found the problems:
1. chacha20-poly1305@openssh.com was only added to LibSsh2 version 1.11.1, so I have now updated to it.
2. aes256-gcm@openssh.com and aes128-gcm@openssh.com were not supported with Windows backend, so I added the code myself. That unfortunately took serveral days.
Download here:
https://www.ghisler.ch/board/viewtopic.php?p=470623#p470623
1. chacha20-poly1305@openssh.com was only added to LibSsh2 version 1.11.1, so I have now updated to it.
2. aes256-gcm@openssh.com and aes128-gcm@openssh.com were not supported with Windows backend, so I added the code myself. That unfortunately took serveral days.
Download here:
https://www.ghisler.ch/board/viewtopic.php?p=470623#p470623
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com