search

gregtwallace / apc-p15-tool

APC P15 Tool is an open source replacement for APC's NMC Security Wizard. It also adds additional functionality for installing certificates on APC NMC2 & NMC3.
GNU General Public License v3.0
21 stars 5 forks source link

No aes256-cbc 3des-cbc #5

Closed jgooMPI closed 5 months ago

jgooMPI commented 5 months ago

Hi,

I tried using your tool to upload the SSL certificate on my UPSs. For some of them it worked like a charm! Much appreciated!

However, for the majority of them, I ran into an error: install: failed to connect to host (ssh: handshake failed: ssh: no common algorithm for client to server cipher; client offered: [aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com aes128-ctr aes192-ctr aes256-ctr], server offered: [aes256-cbc 3des-cbc])

Is there any way to resolve this for those UPSs?

Thanks so much, Justin

gregtwallace commented 5 months ago

Did you try --insecurecipher? It should work I think.

That said, if you're in an envrionment where security matters, anything cbc is broken and insecure. You should update the UPS firmware instead.

jgooMPI commented 5 months ago

The debug information you requested is here: C:\Users\jgoo\OneDrive - Mid-Pacific Institute\Desktop\apc-p15-tool_windows_amd64>ssh -vv 10.1.4.11 OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3 debug2: resolve_canonicalize: hostname 10.1.4.11 is address debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling debug1: Connecting to 10.1.4.11 [10.1.4.11] port 22. debug1: Connection established. debug1: identity file C:\Users\admin-jg/.ssh/id_rsa type -1 debug1: identity file C:\Users\admin-jg/.ssh/id_rsa-cert type -1 debug1: identity file C:\Users\admin-jg/.ssh/id_dsa type -1 debug1: identity file C:\Users\admin-jg/.ssh/id_dsa-cert type -1 debug1: identity file C:\Users\admin-jg/.ssh/id_ecdsa type -1 debug1: identity file C:\Users\admin-jg/.ssh/id_ecdsa-cert type -1 debug1: identity file C:\Users\admin-jg/.ssh/id_ecdsa_sk type -1 debug1: identity file C:\Users\admin-jg/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file C:\Users\admin-jg/.ssh/id_ed25519 type -1 debug1: identity file C:\Users\admin-jg/.ssh/id_ed25519-cert type -1 debug1: identity file C:\Users\admin-jg/.ssh/id_ed25519_sk type -1 debug1: identity file C:\Users\admin-jg/.ssh/id_ed25519_sk-cert type -1 debug1: identity file C:\Users\admin-jg/.ssh/id_xmss type -1 debug1: identity file C:\Users\admin-jg/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.6 debug1: Remote protocol version 2.0, remote software version cryptlib debug1: compat_banner: no match: cryptlib debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 10.1.4.11:22 as 'midpac\admin-jg' debug1: load_hostkeys: fopen C:\Users\admin-jg/.ssh/known_hosts: No such file or directory debug1: load_hostkeys: fopen C:\Users\admin-jg/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen PROGRAMDATA\ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen PROGRAMDATA\ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: host key algorithms: ssh-rsa debug2: ciphers ctos: aes256-cbc,3des-cbc debug2: ciphers stoc: aes256-cbc,3des-cbc debug2: MACs ctos: hmac-sha2-256,hmac-sha1 debug2: MACs stoc: hmac-sha2-256,hmac-sha1 debug2: compression ctos: none debug2: compression stoc: none debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: diffie-hellman-group-exchange-sha256 debug1: kex: host key algorithm: ssh-rsa Unable to negotiate with 10.1.4.11 port 22: no matching cipher found. Their offer: aes256-cbc,3des-cbc

jgooMPI commented 5 months ago

Wow, thank you so much for your super fast response!

--insecurecipher worked just fine. Thank you!

gregtwallace commented 5 months ago

No problem :)