Reject negotiation with not secure cipher.

Good morning,

we are using winSCP to connect to a SFTPServer, We need to use a AES-256 Cipher. In our firewall we see the tracelogs and we see the following problem:
- if we (client) start the negotiation we are able to use the cipher we want.
- but if the server is who start the negotiation use other not secure ciphert and we accept it.

Is there a way to reject this? Is there a way to force to use the cipher we want?

Thanks so much!

You can move the cipher you do not want to use below the warning threshold:
https://winscp.net/eng/docs/ui_login_ssh#encryption_options
That will allow you to reject the connection, if the weak cipher is selected.

Hi again,

we have set just the cypher we need (AES) over de warning thresold. Maybe the problem is that we need to use AES256 but we are accepting AES128 (both AES), is there a way to reject this one?

We need to use aes256-ctr mac: hmc-sha2-256. Can we configure the WinSCP client to use always this parameters in the cipher negotiation? (regardless of who initiates the negotiation?)

Thank so much.

Regards,

No, you cannot selectively choose between AES 256 and 128.
This feature is on PuTTY TODO list:
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/cipher-selection.html
I do not understand what does hmac-sha2-256 have to do with AES.