[NETCONF-421] SSH issue: unable to open SSH session due to invalid crypto configuration Created: 12/May/17  Updated: 15/Mar/19  Resolved: 07/Jul/17

Status: Resolved
Project: netconf
Component/s: netconf
Affects Version/s: None
Fix Version/s: None

Type: Bug
Reporter: ChristopheBetoule Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All

External issue ID: 8431

 Description   

Hi all,

I'm using the Opendaylight Boron Distribution and I have got some problems to connect it to a NETCONF server embedded in a ConfD simulator using SSH. This issue seems to appear from Boron SR2 release and seems not have been resolved yet.

An Invalid Algorithm Parameter Exception is raised when trying to connect Opendaylight to a NETCONF device and OpenDaylight fails to open an SSH session with the device :

2017-05-03 16:40:53,927 | INFO | 3]-nio2-thread-2 | ClientSessionImpl | 30 - org.apache.sshd.core - 0.14.0 | Server version string: SSH-2.0-ConfD-6.0 2017-05-03 16:40:53,928 | WARN | 3]-nio2-thread-7 | ClientSessionImpl | 30 - org.apache.sshd.core - 0.14.0 | Exception caught java.security.InvalidAlgorithmParameterException: DH key size must be multiple of 64, and can only range from 512 to 2048 (inclusive). The specific key size 4096 is not supported

2017-05-03 16:40:53,929 | WARN | 3]-nio2-thread-7 | AsyncSshHandler | 217 - org.opendaylight.netconf.netty-util - 1.2.0.SNAPSHOT | Unable to setup SSH connection on channel: [id: 0x19ec738f] org.apache.sshd.common.SshException: Session is closed

One workaround is to locate mina sshd jar in Opendaylight distribution’s system folder. From Boron release, it is :
•Go to : [ODLprojectfolder]/karaf/target/assembly/system/org/apache/sshd/sshd-core/0.14.0/sshd-core-0.14.0.jar
•Open the jar file, locate META-INF/MANIFEST.MF file and edit the file
•Find org.bouncycastle.openssl;version=”[1.51,2)”;resolution:=optional (at the end of the MANIFEST.MF file) and then delete ;resolution:=optional

Note that this must be done after the project's compilation, but before Karaf is started for the first time.

Does anyone know if and when this issue will be fixed ?

Thanks, Christophe

 Comments   
Comment by Tomas Cere [ 28/Jun/17 ]

This shouldbe fixed by adding bouncy castle to startup bundles
https://git.opendaylight.org/gerrit/#/c/58133/

Comment by Gwenael Lambrouin [ 07/Jul/17 ]

The fix is merged on master (nitrogen). It cannot be cherry-picked directly for stable/carbon or stable/boron because it is based on karaf4.

However, in essence, it works for me on stable/carbon: after the karaf build, if I edit karaf/target/assembly/etc/startup.properties and append the line:

mvn\:org.bouncycastle/bcprov-jdk15on/1.56 = 14

then sshd-core will use bcprov right after the karaf startup, and the netconf/ssh connection works (in my case: with netconf-testtool and a Juniper MX5 routers running JunOS 14.2R1.9).

Now, the question is: is it possible to automate that during the build of the karaf distribution? I tried this in my karaf/pom.xml, but this did not work (and did not cause a build error either):

<build>
<plugins>
<!-- ... -->
<plugin>
<groupId>org.apache.karaf.tooling</groupId>
<artifactId>karaf-maven-plugin</artifactId>
<configuration>
<startupFeatures>
<feature>bcprov-jdk15on</feature>
</startupFeatures>
</configuration>
</plugin>
</plugins>
</build>

Besides, should not we also add bcpkix to startup.properties? During my investigations, I observed that sshd-core used osgi packages in bcpkix. Seems unnecessary for the present issue, but could lead to other problems later...

Generated at Wed Feb 07 20:14:59 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.