Disconnect reason: Invalid host key signature
Hello,
Recently I upgraded my Cerberus to version 12.11.0 and my clients start having an issue connecting the ftp.
For example, I have an user called TESTUSER.
The TESTUSER read and send files through SFTP. Most of the connections works fine and the login is done without problems.
But in some connections the login fails with the following error in the Cerberus log "Invalid host key signature".
Server log:
[2022-11-23 05:32:40]:CONNECT [591309] - Incoming connection request on SSH SFTP listener 14 at xxx accepted from xxx [Allow Listed]
[2022-11-23 05:32:40]: INFO [591309] - Client Identification: SSH-2.0-maverick_legacy_1.7.32
[2022-11-23 05:32:40]:CONNECT [591309] - Agreed upon KEX: 'diffie-hellman-group-exchange-sha256' Host Key: 'ssh-rsa' C2S : 'aes256-ctr, hmac-sha2-256, none' S2C : 'aes256-ctr, hmac-sha2-256, none'
[2022-11-23 05:32:40]: INFO [591309] - DH Key sizes: Server Public '2046', Private '223', Client Public '2048'
[2022-11-23 05:32:40]:CONNECT [591309] - Disconnect reason: Invalid host key signature
[2022-11-23 05:32:40]:CONNECT [591309] - The client closed the connection
[2022-11-23 05:32:40]:CONNECT [591309] - Connection terminated
Client info:
We are doing a very high number of connections to your server and just a small part of them are unsuccessful. As we always retry, we are always able to deliver the files.
During the last 14 days, we made 50’658 connections to ftp and 210 of them failed (with the error: “session channel closed by server”).
Do you have any information about the error and why it started?
Thank you for your help.
-
Hello Filipe!
I would first suggest trying to update to version 12.11.3, as there has been a number of improvements since 12.11. But a possibility may lie in the article that I will link below. As of 12.11, we've introduced OpenSSL 3.0 to introduce support for TLS v1.3 and to maintain compliance with the latest FIPS 140-2 standard. A way to test your current connection issues, would be to temporarily turn off FIPS 140-2 IF your company allows, then seeing if the connections complete.
If you are in need of further help, please do not hesitate to reach out to us at Support@cerberusftp.com.
0 -
Hello,
I dont have the FIPS 140 enable.
I updated my integration environment to the latest version 12.11.3 to test and I have there the same problem.
The funny thing is, if the client retry the connection when it fail they are able to connect again. Sometimes it fails with the error Invalid host key signature but the most of the times it works properly.
0 -
Hello Filipe,
It looks like this may take a bit more troubleshooting, I see that you currently have a ticket open with one of our Application Support Engineers, which is great! They will work with you until we've come to a resolution for your issue. Thank you for taking the time to post this issue to our forum!
0 -
Hello Connor,
Yes, I already open a ticket and I think it is in analyse.
I appreciate your help. Thank you.
The files are being processed because in case of connection error the client retry the connection but in any case the client will receive errors when it fails.
I dont know if I should revert to my previous Cerberus version or wait some time for the support analyse.
0 -
Hello Filipe,
I've checked the progress of the ticket, and I can confirm that our development team is currently investigating this issue, and Ian should have an update for you sometime today if all goes well on their side!
0
Please sign in to leave a comment.
Comments
5 comments