Forum Discussion
CirrusBIG-IP F5 VE - CIPHER error when attempting SSH
Hello F5 Guru's- Do you know if there is a fix for this issue in version 13 .x of BIG-IP VE? or if its possible to upgrade openssh independently on the F5 VE?
Cipher error: [root@BIGIP1:Active:Standalone] admin ssh lab@192.168.4.101 no matching cipher found: client aes128-cbc,aes256-cbc server chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
++++++++++++++++++++++++++BIG-IP VE running old version of OpenSSH+++++++++++++++++++++++++++++++++++ [root@BIGIP1:Active:Standalone] admin ssh -V OpenSSH_5.3p1, OpenSSL 1.0.1l-fips 15 Jan 2015 <--openssh version on Big-IP F5 VE 12.1.3 0.0.378
root@ubuntu:/home/lab ssh -V OpenSSH_7.5p1 Ubuntu-10, OpenSSL 1.0.2g 1 Mar 2016 <--openssh version on Ubuntu 17.10 VM Server
+++++++++++++++++++++++++++++++++See note below +++++++++++++++++++++++++++++++++++++
Changes since OpenSSH 6.6 Potentially-incompatible changes
sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default.
The full set of algorithms remains available if configured explicitly via the Ciphers and MACs sshd_config options.
7 Replies
youssef1Cumulonimbus
Hello,
I advise you not to update openssl, I think it might possible but f5 probably does not support your equipment anymore in this case. I think the easiest way is to ask this question to support it will be more likely to answer you about it...
Can you enter this command and give me the output:
openssl s_client -connect 192.168.4.101:22
Regards.
- Daniel_Varela
Employee
I wouldn't recommend to upgrade openSSH on your own. If you upgrade you will loose that for sure. If there is a problem with openSSH I'd recommend you to talk to support.
RiadSanchzHello Youseff -
Here is the info you requested:
[root@BIGIP1:Active:Standalone] admin openssl s_client -connect 192.168.4.101:22 CONNECTED(00000003)
47034427331080:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:782: no peer certificate available No client certificate CA names sent SSL handshake has read 7 bytes and written 277 bytesNew, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE
Expansion: NONE- RiadSanchz
One more note:
Same command from my Ubuntu Server VM to the Big-IP VM -
root@ubuntu:/home/lab openssl s_client -connect 192.168.4.145:22 CONNECTED(00000003)
140708687776512:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794: no peer certificate available No client certificate CA names sent SSL handshake has read 7 bytes and written 305 bytesNew, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1515490085 Timeout : 300 (sec)
Verify return code: 0 (ok) - Daniel_Varela
I think you are mixing up things a bit. Openssl and openssh are different things.
- RiadSanchz
YOu are correct..YOuseeff asked me for that information and I got thrown off... Issue here is openssh
Small correction, edit /etc/ssh/ssh_config (not sshd_config)
Thanks!
