diffie-hellman-group-exchange-sha256 is very slow and take ~30 seconds

[sefinx]

connecting [xxxxxxxxxxxxxxxxxxxxxxxxx] ... CLIENT[sftp]: connect: Debugging turned on CLIENT[sftp]: ssh2-sftp-client Version: 10.0.3 { "node": "18.16.0", "acorn": "8.8.2", "ada": "1.0.4", "ares": "1.19.0", "brotli": "1.0.9", "cldr": "42.0", "icu": "72.1", "llhttp": "6.0.10", "modules": "108", "napi": "8", "nghttp2": "1.52.0", "nghttp3": "0.7.0", "ngtcp2": "0.8.1", "openssl": "3.0.8+quic", "simdutf": "3.2.2", "tz": "2022g", "undici": "5.21.0", "unicode": "15.0", "uv": "1.44.2", "uvwasi": "0.0.15", "v8": "10.2.154.26-node.26", "zlib": "1.2.13" } CLIENT[sftp]: connect: Connect attempt 1 Custom crypto binding not available Local ident: 'SSH-2.0-ssh2js1.15.0' Client: Trying xxxxxxxxxxxxxxxxxxxxxxxxx on port 22 ... Socket connected Remote ident: 'SSH-2.0-OBS SFTP Server [SERVER]' Outbound: Sending KEXINIT Inbound: Handshake in progress Handshake: (local) KEX method: curve25519-sha256@libssh.org,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,ext-info-c,kex-strict-c-v00@openssh.com Handshake: (remote) KEX method: diffie-hellman-group-exchange-sha256,ext-info-s Handshake: KEX algorithm: diffie-hellman-group-exchange-sha256 Handshake: (local) Host key format: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa Handshake: (remote) Host key format: rsa-sha2-512,rsa-sha2-256,ssh-rsa Handshake: Host key format: rsa-sha2-512 Handshake: (local) C->S cipher: aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com Handshake: (remote) C->S cipher: aes256-ctr,aes256-cbc Handshake: C->S Cipher: aes256-ctr Handshake: (local) S->C cipher: aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com Handshake: (remote) S->C cipher: aes256-ctr,aes256-cbc Handshake: S->C cipher: aes256-ctr Handshake: (local) C->S MAC: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 Handshake: (remote) C->S MAC: hmac-sha2-256 Handshake: C->S MAC: hmac-sha2-256 Handshake: (local) S->C MAC: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 Handshake: (remote) S->C MAC: hmac-sha2-256 Handshake: S->C MAC: hmac-sha2-256 Handshake: (local) C->S compression: none,zlib@openssh.com,zlib Handshake: (remote) C->S compression: none,zlib,zlib@openssh.com Handshake: C->S compression: none Handshake: (local) S->C compression: none,zlib@openssh.com,zlib Handshake: (remote) S->C compression: none,zlib,zlib@openssh.com Handshake: S->C compression: none Outbound: Sending KEXDH_GEX_REQUEST Received DH GEX Group

Outbound: Sending KEXDH_GEX_INIT Received DH GEX Reply Received DH Reply Host accepted by default (no verification) Host accepted (verified) Outbound: Sending NEWKEYS Inbound: NEWKEYS Verifying signature ... Verified signature Handshake completed

[mscdex]

Yep, modern versions of OpenSSL do a lot of extra checks on DH values in the name of security. You're better off using Curve25519 instead where possible, which AFAIU does not incur these kinds of penalties.

[sefinx]

thanks for your reply @mscdex . the problem is that I don't control this, this is the only algorithm the server that Im trying to connect supports - so I have to work with this. is there a way reduce the amount of checks so its faster? one thing that I forgot to mention, when trying from sftp cli (from openSSH package) - it connects less than a second.

[mscdex]

is there a way reduce the amount of checks so its faster?

Short of patching OpenSSL and/or node, there is no way to reduce the amount of checking.

when trying from sftp cli (from openSSH package) - it connects less than a second

I wouldn't be surprised if OpenSSH is utilizing different APIs and/or doing some things themselves when performing DH.

[mscdex]

Additionally you could try newer versions of node and/or OpenSSL (if your copy of node is using system OpenSSL), it's possible improvements in OpenSSL could make things faster somehow.

[sefinx]

@mscdex thank you for your reply, I will try your suggestions.