2

I'm in the process of creating a simple Mule flow in Anypoint Studio - it polls a directory periodically, and when a file is placed in the directory it sends it to an SFTP server. However, when the application starts negotiating a secure connection with the server, it fails with this error:

java.io.IOException: Error during login to username@host: Session.connect: java.security.InvalidAlgorithmParameterException: DH key size must be multiple of 64, and can only range from 512 to 8192 (inclusive). The specific key size 2047 is not supported

The stack trace references several files from the jsch library. The solutions in previous questions recommended upgrading to Java 8, using a different version of jsch, or editing the jsch jars themselves. My Mule server (version 3.9.0 EE) is already on Java 8, I've tried a few different versions of jsch, and editing the jars is not practical, since this application will be deployed to a few different environments.

I'm able to log in to the sftp server using the same credentials as the application via WinSCP. A coworker has tried modifying a working flow to use the same credentials to move the same file, and they get the same error. Here is the XML of my flow:

<flow name="ClCoFlow">
        <file:inbound-endpoint path="${file.from}"
            moveToDirectory="${file.backup}" responseTimeout="10000"
            doc:name="Get File to Transfer" />
        <logger
            message="#[flowVars.originalFilename] being moved to #[flowVars.moveToDirectory]"
            level="INFO" doc:name="File In" />
        <sftp:outbound-endpoint exchange-pattern="one-way"
            host="${sftp.host}" port="${sftp.port}" path="${sftp.path}" user="${sftp.user}"
            password="${sftp.password}" responseTimeout="10000" doc:name="SFTP" />
        <logger message="#[flowVars.originalFilename] sent to sftp service"
            level="INFO" doc:name="File sent" />
    </flow>

Thanks in advance for any help you can provide

EDIT

Though Mule is built on Java, and Mule applications are built behind the scenes using Java and Spring, there is no writing of actual Java code involved in creating a Mule flow.

trauch
  • 61
  • 8
  • 1
    This might help: [DH key size must be multiple of 64, and can only range from 512 to 2048 (inclusive)](https://stackoverflow.com/q/40381968/3776858) – Cyrus Jun 19 '18 at 20:23
  • 1
    Changing the provider list should be done in your code _before_ invoking jsch. If you can't do that, you can also configure it in the file JRE/lib/security/java.security through j8 or JRE/conf/security/java.security in j9 (and I expect 10), with the caveat those apply to _all_ programs run in that JRE. PS: WinSCP works because it uses a completely different protocol implementation, namely the one in C from putty. – dave_thompson_085 Jun 19 '18 at 23:45

1 Answers1

3

Changing the provider seems to be the way to go here. Unfortunately, there is no way to do so with Mule connectors, so we kind of have to re-write the sftp connector in plain Java. After downloading the bouncycastle .jars, put them in src/main/app/lib, then add them to the build path. You should be able to import them (for some reason I had to import org.python.bouncycastle.jce.provider rather than org.bouncycastle.jce.provider). At the top of my code I put :

Security.insertProviderAt(new BouncyCastleProvider(), 1);

and when the flow runs, the dh key is properly negotiated and no errors are thrown.

trauch
  • 61
  • 8