Forum » Support and Bug Reports »

Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Username

Subject

Message body

Font colour:

Font size:

Options

Disable BBCode in this post

Notify me when a reply is posted (registered users only)

Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

Filename

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

File Comment

Options

Private file (available to author and site moderators only)

Topic review

Armin

2023-07-20 11:31

Hi Martin,

Apologize for the late respond, thanks for the help.

I already mentioned to the team that it is better to remove the KEX algorithm from the server side.

martin

2023-06-29

@Guest: In .NET assembly, if you configure particular KEX below/after the WARN, the assembly won't use the KEX (will rather fail the connection, if no KEX above/before WARN is supported by the server).
https://winscp.net/eng/docs/rawsettings#kex

Guest

2023-06-26 13:09

Hi @Martin, for security reason I want to remove some of the KEX options that is available in WinSCP.

Oh I am sorry I forgot to mention that I am developing a .NET Application that use WinSCP library to connect to the SFTP Server.

I can add new KEX using AddRawSetting but I don't know how to remove the KEX options in the WinSCP Library.

So I assume it can only be done at server side. Is that correct?

martin

2023-06-26

@Armin: Well, I do not know what exactly are you trying to achieve. If you control both client(s) and the server, then indeed it's the server that should be configured not to allow the unwanted KEX in the first place.

Armin

2023-06-25 13:17

Hi Martin,

From what I understand WinSCP can support multiple KEX.
they want me to remove this options "diffie-hellman-group1-sha1"
Is that possible?

I just saw this post
How to use diffie-hellman-group-exchange-sha256 in the KEX=

Does it mean, we don't need to change it from the client side, only the server side need to decide which KEX that the server accept, am I right?

martin

Re: Limit the KEX options

2023-06-22

@Armin: That's quite vague. Are you looking for this?
https://winscp.net/eng/docs/ui_login_kex
In any case, algorithms should primarily be restricted on the server-side.

Armin

Limit the KEX options

2023-06-21 02:48

Is it possible to limit the KEX options?

Due the security reason they want to limit the KEX.

martin

Re: Key Exchange

2021-11-08

WinSCP supports all four algorithms that you were asked to use:
https://winscp.net/eng/docs/ssh_algorithms

ddremiere@oxya.com

Key Exchange

2021-11-05 11:10

Hi,
due to security requirements I have been asked to only use below KEX to connect to an SFTP site:

diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521

Following ones are refused:

diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1
rsa1024-sha1

KEX names available in WinSCP (found for KEX parameter in https://winscp.net/eng/docs/rawsettings) are all with SHA-1 except ECDH.
But is it ECDH SHA-1 or SHA-2?

If SHA-1, it means I have to choose another SFTP ftp software, right?
Thx in advance
Regards
Daniel

Post a reply

Topic review

Re: Limit the KEX options

Limit the KEX options

Re: Key Exchange

Key Exchange

Documentation

Support

Associations

Follow Us