Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Android: "Unable to reach a settlement" exception #308

Open
willemw12 opened this issue Mar 23, 2017 · 3 comments
Open

Android: "Unable to reach a settlement" exception #308

willemw12 opened this issue Mar 23, 2017 · 3 comments

Comments

@willemw12
Copy link

On Android, using Spongy Castle, SSH connection:

SSHClient ssh = new SSHClient(new AndroidConfig());
ssh.addHostKeyVerifier(new PromiscuousVerifier());
ssh.connect(HOST, PORT);

fails:

E/TransportImpl: Dying because - {}
                 net.schmizz.sshj.transport.TransportException: Unable to reach a settlement: [diffie-hellman-group1-sha1, diffie-hellman-group-exchange-sha1] and [curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1]
                     at net.schmizz.sshj.transport.Proposal.firstMatch(Proposal.java:145)
                     at net.schmizz.sshj.transport.Proposal.negotiate(Proposal.java:127)
                     at net.schmizz.sshj.transport.KeyExchanger.gotKexInit(KeyExchanger.java:218)
                     at net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:350)
                     at net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:500)
                     at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:102)
                     at net.schmizz.sshj.transport.Decoder.received(Decoder.java:170)
                     at net.schmizz.sshj.transport.Reader.run(Reader.java:59)
I/TransportImpl: Disconnected - UNKNOWN
E/n*.s*.c*.Promise: <<kex done>> woke to: net.schmizz.sshj.transport.TransportException: Unable to reach a settlement: [diffie-hellman-group1-sha1, diffie-hellman-group-exchange-sha1] and [curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1]
W/System.err: net.schmizz.sshj.transport.TransportException: Unable to reach a settlement: [diffie-hellman-group1-sha1, diffie-hellman-group-exchange-sha1] and [curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1]
W/System.err:     at net.schmizz.sshj.transport.Proposal.firstMatch(Proposal.java:145)
W/System.err:     at net.schmizz.sshj.transport.Proposal.negotiate(Proposal.java:127)
W/System.err:     at net.schmizz.sshj.transport.KeyExchanger.gotKexInit(KeyExchanger.java:218)
W/System.err:     at net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:350)
W/System.err:     at net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:500)
W/System.err:     at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:102)
W/System.err:     at net.schmizz.sshj.transport.Decoder.received(Decoder.java:170)
W/System.err:     at net.schmizz.sshj.transport.Reader.run(Reader.java:59)

The reason for this is that in SecurityUtils.java, isBouncyCastleRegistered() returns false:

public static final String BOUNCY_CASTLE = "BC";

public static synchronized boolean isBouncyCastleRegistered() {
    register();
    return BOUNCY_CASTLE.equals(securityProvider);
}

because securityProvider is "SC", not "BC.

Then in DefaultConfig.java, the connection is not properly initialized:

public DefaultConfig() {
    this.setLoggerFactory(LoggerFactory.DEFAULT);
    this.setVersion(this.readVersionFromProperties());
    boolean bouncyCastleRegistered = SecurityUtils.isBouncyCastleRegistered();
    this.initKeyExchangeFactories(bouncyCastleRegistered);
    this.initRandomFactory(bouncyCastleRegistered);
    this.initFileKeyProviderFactories(bouncyCastleRegistered);
    this.initCipherFactories();
    this.initCompressionFactories();
    this.initMACFactories();
    this.initSignatureFactories();

because of the:

if(bouncyCastleRegistered) {

statements in the init methods.

A solution for this issue, that has worked in my case, might be for isBouncyCastleRegistered() to also accept the Spongy Castle provider:

public static final String SPONGY_CASTLE = "SC";

public static synchronized boolean isBouncyCastleRegistered() {
    register();
    return BOUNCY_CASTLE.equals(securityProvider) || SPONGY_CASTLE.equals(securityProvider);
}
@willemw12
Copy link
Author

There are two more "BC" references:

./src/main/java/net/schmizz/sshj/userauth/keyprovider/PKCS8KeyFile.java:                pemConverter.setProvider("BC");
./src/main/java/net/schmizz/sshj/userauth/keyprovider/PKCS8KeyFile.java:                    decryptorBuilder.setProvider("BC");

Don't know whether that also is causing issues when using SSHJ with Spongy Castle.

@eidottermihi
Copy link
Contributor

I could workaround that issue with extending AndroidConfig

class SpongyCastleAndroidConfig extends AndroidConfig {
    public SpongyCastleAndroidConfig() {
        super();
        initKeyExchangeFactories(true);
        initFileKeyProviderFactories(true);
    }
}

and using that as Config. Works on Android 5.0.

@willemw12
Copy link
Author

@eidottermihi: Thanks. That workaround works. A minor update for sshj:0.23.0:

class SpongyCastleAndroidConfig extends AndroidConfig {
    public SpongyCastleAndroidConfig() {
        super();
        initKeyExchangeFactories(true);
        initRandomFactory(true);
        initFileKeyProviderFactories(true);
    }
}

eidottermihi added a commit to eidottermihi/sshj that referenced this issue Dec 21, 2017
…"bouncyCastle" (in fact, SpongyCastle is registered).

See hierynomus#308 for discussion.
hierynomus pushed a commit that referenced this issue Dec 28, 2017
* Add EdDSA signature for AndroidConfig.

* Initialize KeyExchange- and FileKeyProviderFactories with registered "bouncyCastle" (in fact, SpongyCastle is registered).

See #308 for discussion.
CCLiu added a commit to CCLiu/sshj that referenced this issue Jan 11, 2018
* Check whether filename is a child of the current file (Fixes hierynomus#341)

* Fixed codacy

* Updated README release notes

* Removed oraclejdk7 as that is no longer supported on trusty, added openjdk

* Added gradle caching to travis config

* Removed use of DataTypeConverter as that is no longer in default JDK9

* Removed build of broken openJDK7 in favour of using animal-sniffer to detect java 1.6 compatibility

* Improved test stability

* Correctly determine KeyType for ECDSA public key (Fixes hierynomus#356)

* fixed build

* Fixed Java9 build?

* Disambiguated signature initialization

* Removed deprecated method

* Organised imports

* Added 'out/' to gitignore

* Added support for new-style fingerprints (hierynomus#365)

* Added support for new-style fingerprints

* Fixed codacy warnings

* Fix decoding signature bytes (Fixes hierynomus#355, hierynomus#354) (hierynomus#361)

* Fix for signature verify in DSA

* Cleaned up signature verification

* Fixed import

* Ignored erroneous pmd warnings

* Updated JavaDoc

* Extracted ASN.1/DER encoding to method (hierynomus#368)

* Update net.i2p.crypto:eddsa to 0.2.0 (hierynomus#372)

* Update net.i2p.crypto:eddsa to 0.2.0

* Update net.i2p.crypto.eddsa to 0.2.0

* Update net.i2p.crypto.eddsa to 0.2.0

* Update net.i2p.crypto.eddsa to 0.2.0

* Log security provider registration failures (hierynomus#374)

* Migrate remaining block ciphers

* Updated README for v0.23.0 release

* Using new release plugin

* Updated build plugins

* Fix escaping in WildcardHostMatcher (hierynomus#382)

* Escape '[' and ']' in WildcardHostMatcher

* Anchoring regex to match entire string (Fixes hierynomus#381)

* Updated builds to include CodeCov

* - Experimenting with travis

* - fix ip for online testing

* - account for different working dir

* - yaml-yaml

* - double before_install

* - still -d

* - try common format

* - Fixed server keys
- Use sshj branding

* - grr, ip

* - minor improvements

* - eh?

* - switch username back

* - orly?

* - desperation

* - One more time

* Upgraded gradle to cope with java9

* Separated out integration tests

* Fixed length bug in putString (Fixes hierynomus#187)

* Removed docker from travis yml as it is included in gradle build now

* Added integration test to travis

* Update AndroidConfig (hierynomus#389)

* Add EdDSA signature for AndroidConfig.

* Initialize KeyExchange- and FileKeyProviderFactories with registered "bouncyCastle" (in fact, SpongyCastle is registered).

See hierynomus#308 for discussion.

* Added integration test for append scenario (Fixes hierynomus#390)

* Fixed headers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants