Topic "Key-exchange algorithm diffie-hellman-group1-sha1 was not verified!"

Author Message


Hi Martin,

I have just updated the WinSCP to the latest version 5.9.2 and started to have some problems with some of SFTP accounts.
I mainly use WinSCP via scripting like so:

#--> This script was created by SQL <--#
# Automatically abort script on errors
option batch abort
# Disable overwrite confirmations that conflict with the previous
option confirm off
# Connect
open sftp://citmeddv:************.com/ -hostkey="*" -timeout=120
# Command Line
cd "Tmp_Input"
PUT "\\Device\Output\DM_201304_1203_1.csv"
# Disconnect
# Exit WinSCP
#--> EOF This script was created by SQL <--#

And this is generating an error:

<?xml version="1.0" encoding="UTF-8"?>
<session xmlns="" name="" start="2016-09-28T06:16:58.867Z">
    <message>Key-exchange algorithm diffie-hellman-group1-sha1 was not verified!</message>

In the details we have:

. 2016-09-28 07:16:59.148 Enumerating network events for socket 1908
. 2016-09-28 07:16:59.148 Enumerated 1 network events making 1 cumulative events for socket 1908
. 2016-09-28 07:16:59.148 Handling network read event on socket 1908 with error 0
. 2016-09-28 07:16:59.148 Asking user:
. 2016-09-28 07:16:59.148 The first key-exchange algorithm supported by the server is diffie-hellman-group1-sha1, which is below the configured warning threshold.
. 2016-09-28 07:16:59.148
. 2016-09-28 07:16:59.148 Do you want to continue with this connection? ()
. 2016-09-28 07:16:59.148 Attempt to close connection due to fatal exception:
* 2016-09-28 07:16:59.148 Key-exchange algorithm diffie-hellman-group1-sha1 was not verified!
. 2016-09-28 07:16:59.148 Closing connection.
. 2016-09-28 07:16:59.148 Sending special code: 12
. 2016-09-28 07:16:59.148 Selecting events 0 for socket 1908

Is there a workaround for this problem?
I already saw the KEX option but I don't know how to implement it.

Best regards
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 27086
Location: Prague, Czechia
This should do:

open sftp://citmeddv:************.com/ -hostkey="*" -timeout=120 -rawsettings KEX=dh-group1-sha1


Though, obviously, the correct solution to upgrade your server not to use an insecure KEX.


Thank you very much Martin! This is exactly what i needed!

Best regards

You can post new topics in this forum


What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!


About donations

$9   $19   $49   $99

About donations


WinSCP Privacy Policy

WinSCP License