[NETCONF-421] SSH issue: unable to open SSH session due to invalid crypto configuration Created: 12/May/17 Updated: 15/Mar/19 Resolved: 07/Jul/17 |
|
| Status: | Resolved |
| Project: | netconf |
| Component/s: | netconf |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | ||
| Reporter: | ChristopheBetoule | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Operating System: All |
||
| External issue ID: | 8431 |
| Description |
|
Hi all, I'm using the Opendaylight Boron Distribution and I have got some problems to connect it to a NETCONF server embedded in a ConfD simulator using SSH. This issue seems to appear from Boron SR2 release and seems not have been resolved yet. An Invalid Algorithm Parameter Exception is raised when trying to connect Opendaylight to a NETCONF device and OpenDaylight fails to open an SSH session with the device : 2017-05-03 16:40:53,927 | INFO | 3]-nio2-thread-2 | ClientSessionImpl | 30 - org.apache.sshd.core - 0.14.0 | Server version string: SSH-2.0-ConfD-6.0 2017-05-03 16:40:53,928 | WARN | 3]-nio2-thread-7 | ClientSessionImpl | 30 - org.apache.sshd.core - 0.14.0 | Exception caught java.security.InvalidAlgorithmParameterException: DH key size must be multiple of 64, and can only range from 512 to 2048 (inclusive). The specific key size 4096 is not supported 2017-05-03 16:40:53,929 | WARN | 3]-nio2-thread-7 | AsyncSshHandler | 217 - org.opendaylight.netconf.netty-util - 1.2.0.SNAPSHOT | Unable to setup SSH connection on channel: [id: 0x19ec738f] org.apache.sshd.common.SshException: Session is closed One workaround is to locate mina sshd jar in Opendaylight distribution’s system folder. From Boron release, it is : Note that this must be done after the project's compilation, but before Karaf is started for the first time. Does anyone know if and when this issue will be fixed ? Thanks, Christophe |
| Comments |
| Comment by Tomas Cere [ 28/Jun/17 ] |
|
This shouldbe fixed by adding bouncy castle to startup bundles |
| Comment by Gwenael Lambrouin [ 07/Jul/17 ] |
|
The fix is merged on master (nitrogen). It cannot be cherry-picked directly for stable/carbon or stable/boron because it is based on karaf4. However, in essence, it works for me on stable/carbon: after the karaf build, if I edit karaf/target/assembly/etc/startup.properties and append the line: mvn\:org.bouncycastle/bcprov-jdk15on/1.56 = 14 then sshd-core will use bcprov right after the karaf startup, and the netconf/ssh connection works (in my case: with netconf-testtool and a Juniper MX5 routers running JunOS 14.2R1.9). Now, the question is: is it possible to automate that during the build of the karaf distribution? I tried this in my karaf/pom.xml, but this did not work (and did not cause a build error either): <build> Besides, should not we also add bcpkix to startup.properties? During my investigations, I observed that sshd-core used osgi packages in bcpkix. Seems unnecessary for the present issue, but could lead to other problems later... |