[NETCONF-887] Netconf callhome failed for devices with old KEX algorithms (SHA1) Created: 18/Jun/22  Updated: 30/Jan/23  Resolved: 30/Jan/23

Status: Resolved
Project: netconf
Component/s: netconf
Affects Version/s: 2.0.11, 3.0.0, 4.0.0, 5.0.0, 2.0.17, 3.0.8, 4.0.5, 5.0.1
Fix Version/s: 3.0.9, 4.0.6, 5.0.2

Type: Bug Priority: High
Reporter: Evgenii Limonov Assignee: Peter Suna
Resolution: Done Votes: 0
Labels: pt
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Blocks
is blocked by NETCONF-942 Callhome session is closed after allo... Resolved
Relates
relates to NETCONF-765 Auth failed - Unable to negotiate key... Resolved

 Description   

Exception is thrown when devices with old kex algorithms (SHA1) try to callhome to ODL.

This issue looks similar to fixed NETCONF-765 (SHA1 Nodes working properly if we add them without callhome) and probably related to disabled SHA1 algorithm  in Mina SSHD since 2.6.0, but some devices cannot be upgraded with new SSH modules (i.e. use new KEX algorithms ).

 

debug.log details : 

2022-06-18T19:40:33.297Z||entLoopGroup-4-1|INFO |LoggingHandler                  |72 - io.netty.common - 4.1.69.Final|[id: 0x4914be67, L:/0.0.0.0:6666] READ: [id: 0x5d01a013, L:/10.233.72.16:6666 - R:/10.233.64.27:64288]
2022-06-18T19:40:33.299Z||entLoopGroup-4-1|INFO |LoggingHandler                  |72 - io.netty.common - 4.1.69.Final|[id: 0x4914be67, L:/0.0.0.0:6666] READ COMPLETE
2022-06-18T19:40:33.308Z||entLoopGroup-4-1|WARN |ClientSessionImpl               |402 - org.opendaylight.netconf.shaded-sshd - 2.0.11|exceptionCaught(ClientSessionImpl[null@/10.233.64.27:64288])[state=Opened] SshException: Unable to negotiate key exchange for kex algorithms (client: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,ext-info-c / server: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1)
2022-06-18T19:40:33.308Z||entLoopGroup-4-1|INFO |ClientSessionImpl               |402 - org.opendaylight.netconf.shaded-sshd - 2.0.11|Disconnecting(ClientSessionImpl[null@/10.233.64.27:64288]): SSH2_DISCONNECT_KEY_EXCHANGE_FAILED - Unable to negotiate key exchange for kex algorithms (client: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,ext-info-c / server: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1)

 

 Comments   
Comment by Robert Varga [ 20/Jun/22 ]

Yeah, seems like call home is doing its own thing and not using NetconfSshClient.

Comment by Ivan Hrasko [ 18/Jan/23 ]

Yes, NetconfCallHomeServerBuilder is using:

private SshClient sshClient() {
    return sshClient != null ? sshClient : defaultSshClient();
}

private static SshClient defaultSshClient() {
    return SshClient.setUpDefaultClient();
}

Lets reuse solution from NETCONF-765.

Generated at Wed Feb 07 20:16:09 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.