If key exchange fails, move on to next one

Similar to topic # 24634, I am getting an error "server's host key did not match the signature supplied". I have no stored keys, and it happens on a clean system as well.

It fails on the first ECDH key exchange policy, but if I switch the listing to the next one, Diffie, it works.

Is there anyway to tell WinSCP to move on to the next policy if the first one fails? Being a list, I would think this should already be the case.

Note this is happening on a system that uses multiple destination sites and this is only happening on one of those. Since the same process is being used for different destinations, I would like to know if this can be controlled at a global level.

This also happens using Putty. But FileZilla handles it without problem.

Thanks in advance for any input.

It's a bug in the server. I do not see why WinSCP should silently ignore it.

And I do not think that FileZilla does. It's rather that your version of FileZilla does not support that key type or has another key type cached already (as described in the topic you link to).

I get what you're saying, and we may have to resort to manual processing for the time being. Unfortunately, I have no control over the server, and any requests I make fall on deaf ears.

Everything is up to date, including FileZilla, and it works on a clean install that just has the base windows (from an vm image). I install everything new to ensure it's clean. I don't know how FileZilla does key exchanges. But WinSCP fails on all machines on the default first ECDH.

My original intention for the post was to see if we could trap the error (not ignore it), but still move on to the next algorithm. If we are passing a list either through the UI or through the rawsettings parameters, then what is the purpose of the list? It should just take one value in that case.

bluegi55 wrote:

Everything is up to date, including FileZilla, and it works on a clean install that just has the base windows (from an vm image). I install everything new to ensure it's clean. I don't know how FileZilla does key exchanges. But WinSCP fails on all machines on the default first ECDH.

Can you post a verbose FileZilla log file?

If we are passing a list either through the UI or through the rawsettings parameters, then what is the purpose of the list? It should just take one value in that case.

The purpose of the list is to set your preferences. WinSCP will automatically pick the first algorithm that the server also supports. If the server starts supporting a more preferred algorithm in the future, WinSCP can start using it. That would not be possible, if it was a single value option.