Forum Discussion

RiadSanchz's avatar
RiadSanchz
Icon for Cirrus rankCirrus
Jan 09, 2018

BIG-IP F5 VE - CIPHER error when attempting SSH

Hello F5 Guru's- Do you know if there is a fix for this issue in version 13 .x of BIG-IP VE? or if its possible to upgrade openssh independently on the F5 VE?

 

Cipher error: [root@BIGIP1:Active:Standalone] admin ssh lab@192.168.4.101 no matching cipher found: client aes128-cbc,aes256-cbc server chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

 

++++++++++++++++++++++++++BIG-IP VE running old version of OpenSSH+++++++++++++++++++++++++++++++++++ [root@BIGIP1:Active:Standalone] admin ssh -V OpenSSH_5.3p1, OpenSSL 1.0.1l-fips 15 Jan 2015 <--openssh version on Big-IP F5 VE 12.1.3 0.0.378

 

root@ubuntu:/home/lab ssh -V OpenSSH_7.5p1 Ubuntu-10, OpenSSL 1.0.2g 1 Mar 2016 <--openssh version on Ubuntu 17.10 VM Server

 

+++++++++++++++++++++++++++++++++See note below +++++++++++++++++++++++++++++++++++++

 

https://unix.stackexchange.com/questions/326003/ssh-stopped-working-after-a-server-update-what-happened

 

Changes since OpenSSH 6.6 Potentially-incompatible changes

 

sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default.

 

The full set of algorithms remains available if configured explicitly via the Ciphers and MACs sshd_config options.

 

BIG-IP
devops
LTM
security

7 Replies

Sort By
  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Jan 09, 2018

    Hello,

     

    I advise you not to update openssl, I think it might possible but f5 probably does not support your equipment anymore in this case. I think the easiest way is to ask this question to support it will be more likely to answer you about it...

     

    Can you enter this command and give me the output:

     

    openssl s_client -connect 192.168.4.101:22

     

    Regards.

     

  • Daniel_Varela's avatar
    Daniel_Varela
    Icon for Employee rankEmployee
    Jan 09, 2018

    I wouldn't recommend to upgrade openSSH on your own. If you upgrade you will loose that for sure. If there is a problem with openSSH I'd recommend you to talk to support.

     

  • RiadSanchz's avatar
    RiadSanchz
    Icon for Cirrus rankCirrus
    Jan 09, 2018

    Hello Youseff -

     

    Here is the info you requested:

     

    [root@BIGIP1:Active:Standalone] admin openssl s_client -connect 192.168.4.101:22 CONNECTED(00000003)

     

    47034427331080:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:782: no peer certificate available No client certificate CA names sent SSL handshake has read 7 bytes and written 277 bytes

    New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE

     

    Expansion: NONE
  • RiadSanchz's avatar
    RiadSanchz
    Icon for Cirrus rankCirrus
    Jan 09, 2018

    One more note:

     

    Same command from my Ubuntu Server VM to the Big-IP VM -

     

    root@ubuntu:/home/lab openssl s_client -connect 192.168.4.145:22 CONNECTED(00000003)

     

    140708687776512:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794: no peer certificate available No client certificate CA names sent SSL handshake has read 7 bytes and written 305 bytes

    New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1515490085 Timeout : 300 (sec)

     

    Verify return code: 0 (ok)
  • Daniel_Varela's avatar
    Daniel_Varela
    Icon for Employee rankEmployee
    Jan 09, 2018

    I think you are mixing up things a bit. Openssl and openssh are different things.

     

  • RiadSanchz's avatar
    RiadSanchz
    Icon for Cirrus rankCirrus
    Jan 09, 2018

    YOu are correct..YOuseeff asked me for that information and I got thrown off... Issue here is openssh

     

  • RomanJ's avatar
    RomanJ
    Ret. Employee
    Jan 31, 2019

    Small correction, edit /etc/ssh/ssh_config (not sshd_config)

     

    Thanks!