Not able to connect to sftp : com.jcraft.jsch.JSchException: Algorithm negotiation fail

Question

Out FTP server went through migration for some better security (don't know much details about it).

But after upgrade, we are not able to download/upload files from the server. It was working fine before the upgrade. The error log says:

ns0:ClientCould not connect to FTP Server.http://schemas.cordys.com/ftpconnector/1.1Cordys.FTPConnector.Messages.ftpserverConnectionFailedcom.eibus.applicationconnector.ftp.FTPException: Algorithm negotiation fail

at com.eibus.applicationconnector.ftp.CordysSFTPClient.connect(CordysSFTPClient.java:78) at com.eibus.applicationconnector.ftp.FTPCommand.connect(FTPCommand.java:86) at com.eibus.applicationconnector.ftp.FTPTransaction.process(FTPTransaction.java:109) at com.eibus.soap.SOAPTransaction.handleBodyBlock(SOAPTransaction.java:1340) at com.eibus.soap.SOAPTransaction.(SOAPTransaction.java:546) at com.eibus.soap.SOAPTransaction.(SOAPTransaction.java:195) at com.eibus.soap.Processor.onReceive(Processor.java:1024) at com.eibus.soap.Processor.onReceive(Processor.java:997) at com.eibus.connector.nom.Connector.onReceive(Connector.java:483) at com.eibus.transport.NonTransactionalWorkerThreadBody.doWork(NonTransactionalWorkerThreadBody.java:61) at com.eibus.transport.NonTransactionalWorkerThreadBody.run(NonTransactionalWorkerThreadBody.java:26) at com.eibus.util.threadpool.WorkerThread.run(WorkerThread.java:67) Caused by: com.jcraft.jsch.JSchException: Algorithm negotiation fail at com.jcraft.jsch.Session.receive_kexinit(Session.java:520) at com.jcraft.jsch.Session.connect(Session.java:286) at com.jcraft.jsch.Session.connect(Session.java:150) at com.eibus.applicationconnector.ftp.CordysSFTPClient.connectOnce(CordysSFTPClient.java:124) at com.eibus.applicationconnector.ftp.CordysSFTPClient.connect(CordysSFTPClient.java:64) ... 11 more

jsch jar version used is: jsch-0.1.41.jar java version used is: 1.7.0_40

Note that

1. We don't own the FTP server and can't change any settings there.
2. Upgrading the Java version is not an option

Trial 1 After spending some time on google, I understood that upgrading the jsch jar version might help. So I used the latest jsch jar which is: jsch-0.1.54.jar. After this I started getting following error:

com.eibus.applicationconnector.ftp.FTPException: Session.connect: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive) at com.eibus.applicationconnector.ftp.CordysSFTPClient.connect(CordysSFTPClient.java:78) at com.eibus.applicationconnector.ftp.FTPCommand.connect(FTPCommand.java:86) at com.eibus.applicationconnector.ftp.FTPTransaction.process(FTPTransaction.java:109) at com.eibus.soap.SOAPTransaction.handleBodyBlock(SOAPTransaction.java:1340) at com.eibus.soap.SOAPTransaction.(SOAPTransaction.java:546) at com.eibus.soap.SOAPTransaction.(SOAPTransaction.java:195) at com.eibus.soap.Processor.onReceive(Processor.java:1024) at com.eibus.soap.Processor.onReceive(Processor.java:997) at com.eibus.connector.nom.Connector.onReceive(Connector.java:483) at com.eibus.transport.NonTransactionalWorkerThreadBody.doWork(NonTransactionalWorkerThreadBody.java:61) at com.eibus.transport.NonTransactionalWorkerThreadBody.run(NonTransactionalWorkerThreadBody.java:26) at com.eibus.util.threadpool.WorkerThread.run(WorkerThread.java:67) Caused by: com.jcraft.jsch.JSchException: Session.connect: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive) at com.jcraft.jsch.Session.connect(Session.java:565) at com.jcraft.jsch.Session.connect(Session.java:183) at com.eibus.applicationconnector.ftp.CordysSFTPClient.connectOnce(CordysSFTPClient.java:124) at com.eibus.applicationconnector.ftp.CordysSFTPClient.connect(CordysSFTPClient.java:64) ... 11 more

Trial 2 : Installed unlimited strength jurisdiction policy files (www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html), this was also of no use. Got the same error

Any pointers would be helpful.

Here is the piece of code I am using to connect to ftp:

private void connectOnce(FTPConfiguration ftpConfiguration) throws JSchException {
    JSch jsch = new JSch();
    this.session = jsch.getSession(ftpConfiguration.getUsername(), ftpConfiguration.getServer(), ftpConfiguration.getPort());
    this.session.setPassword(ftpConfiguration.getPassword());

    Properties config = new Properties();
    config.put("StrictHostKeyChecking", "no");
    this.session.setConfig(config);

    if (logger.isDebugEnabled()) {
      logger.debug("Opening SFTP connection to " + ftpConfiguration.getServer());
    }
    this.session.connect();
}

Answer 1

I think I've found a solution.

Solution involves modifying the jsch source code. (latest version 1.0.54). I’ve done some research and finally able to force jsch to use “Bouncy Castle” security provider. This involved changing the source code for following classes in the jsch library:

• com.jcraft.jsch.jce.KeyPairGenDSA
• com.jcraft.jsch.jce.KeyPairGenECDSA
• com.jcraft.jsch.jce.KeyPairGenRSA
• com.jcraft.jsch.jce.DH

I've added following argument whenever it was trying to geInstance of the keyGenerator.

KeyPairGenerator.getInstance("DSA","BC"); 

got some idea from this post (I've put security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider but it isn't being used during SSL handshake)