"Unable to negotiate" and "no matching cipher found" errors when trying to connect with sftp.

This document (000020706) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 SP4
SUSE Linux Enterprise Server for SAP Applica­tions 15 SP4
SUSE Linux Enterprise Desktop 15 SP4
SUSE Linux Enterprise Server 15 SP3
SUSE Linux Enterprise Server for SAP Applica­tions 15 SP3
SUSE Linux Enterprise Desktop 15 SP3

Situation

sftp is unable to connect to a SFTP server and the following error message is displayed:
[Unable to negotiate with X.X.X.X port 22: no matching cipher found. Their offer: blowfish-cbc, aes256-cbc]

Resolution

The SFTP server likely supports only legacy CBC (Cipher Block Chain) ciphers such as blowfish-cbc, aes256-cbc, and the SFTP client doesn't accept those ciphers.

There are two possible solutions:

1) Upgrade and harden the SFTP server so that it supports more secure ciphers (best solution);

2) As a workaround, force the SFTP client to select the legacy cipher supported by the SFTP server for encrypting the data transfers, using the -c parameter of the sftp command;

    Example:
       sftp -c aes128-cbc sftpuser@X.X.X.X
      
  where X.X.X.X if the SFTP server IP address.
 
From sftp man page:
     -c cipher
             Selects the cipher to use for encrypting the data
             transfers.  This option is directly passed to ssh(1).

 
The list of available ciphers supported by the SFTP client may also be obtained using the command "ssh -Q cipher".

Cause

The SFTP client is trying to use more secure ciphers for encrypting the data transfers but the SFTP server probably supports only legacy CBC (Cipher Block Chain) ciphers.

Additional Information

sftp man page: https://man7.org/linux/man-pages/man1/sftp.1.html
Block cipher mode of operation:  https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
SSH CBC vulnerability: https://www.kb.cert.org/vuls/id/958563
Plaintext Recovery Attacks Against SSH: https://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf
 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020706
  • Creation Date: 22-Jul-2022
  • Modified Date:22-Jul-2022
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center