Unable to reach a settlement of Client2ServerCipherAlgorithms

[ZhouMM92]

Hi, I have recently deployed a private application to a connect remote linux host and it seems to cause an issue.
It is throwing the following error message:

2025-04-03 12:42:00.182 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.transport.random.JCERandom - Creating new SecureRandom.
2025-04-03 12:42:00.182 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [chacha20-poly1305@openssh.com] disabled: Illegal key size
2025-04-03 12:42:00.182 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [aes192-cbc] disabled: Illegal key size
2025-04-03 12:42:00.182 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [aes192-ctr] disabled: Illegal key size
2025-04-03 12:42:00.183 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [aes256-cbc] disabled: Illegal key size
2025-04-03 12:42:00.183 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [aes256-ctr] disabled: Illegal key size
2025-04-03 12:42:00.183 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [aes256-gcm@openssh.com] disabled: Illegal key size
2025-04-03 12:42:00.183 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [blowfish-ctr] disabled: Illegal key size
2025-04-03 12:42:00.184 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [serpent192-cbc] disabled: Illegal key size
2025-04-03 12:42:00.184 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [serpent192-ctr] disabled: Illegal key size
2025-04-03 12:42:00.184 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [serpent256-cbc] disabled: Illegal key size
2025-04-03 12:42:00.184 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [serpent256-ctr] disabled: Illegal key size
2025-04-03 12:42:00.184 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [twofish192-cbc] disabled: Illegal key size
2025-04-03 12:42:00.185 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [twofish192-ctr] disabled: Illegal key size
2025-04-03 12:42:00.185 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [twofish256-cbc] disabled: Illegal key size
2025-04-03 12:42:00.185 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [twofish256-ctr] disabled: Illegal key size
2025-04-03 12:42:00.185 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [twofish-cbc] disabled: Illegal key size
2025-04-03 12:42:00.185 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [arcfour256] disabled: Illegal key size or default parameters
2025-04-03 12:42:00.187 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.transport.TransportImpl - Client identity string: SSH-2.0-SSHJ_0.38.0
2025-04-03 12:42:00.198 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.transport.TransportImpl - Server identity string: SSH-2.0-OpenSSH_X.X
2025-04-03 12:42:00.199 [sshj-Reader-/10.172.0.65:22-1743655320198]-ERROR-net.schmizz.sshj.transport.TransportImpl - Dying because - Unable to reach a settlement of Client2ServerCipherAlgorithms: [aes128-cbc, aes128-ctr, aes128-gcm@openssh.com, blowfish-cbc, cast128-cbc, cast128-ctr, idea-cbc, idea-ctr, serpent128-cbc, serpent128-ctr, 3des-cbc, 3des-ctr, twofish128-cbc, twofish128-ctr, arcfour, arcfour128] and [aes192-ctr, aes256-ctr, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com]
net.schmizz.sshj.transport.TransportException: Unable to reach a settlement of Client2ServerCipherAlgorithms: [aes128-cbc, aes128-ctr, aes128-gcm@openssh.com, blowfish-cbc, cast128-cbc, cast128-ctr, idea-cbc, idea-ctr, serpent128-cbc, serpent128-ctr, 3des-cbc, 3des-ctr, twofish128-cbc, twofish128-ctr, arcfour, arcfour128] and [aes192-ctr, aes256-ctr, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com]
        at net.schmizz.sshj.transport.Proposal.firstMatch(Proposal.java:182)
        at net.schmizz.sshj.transport.Proposal.negotiate(Proposal.java:138)
        at net.schmizz.sshj.transport.KeyExchanger.gotKexInit(KeyExchanger.java:265)
        at net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:424)
        at net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:496)
        at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:113)
        at net.schmizz.sshj.transport.Decoder.received(Decoder.java:200)
        at net.schmizz.sshj.transport.Reader.run(Reader.java:60)
2025-04-03 12:42:00.200 [sshj-Reader-/10.172.0.65:22-1743655320198]-INFO -net.schmizz.sshj.transport.TransportImpl - Disconnected - UNKNOWN
2025-04-03 12:42:00.200 [http-nio-9500-exec-5]-ERROR-net.schmizz.concurrent.Promise - <<kex done>> woke to: net.schmizz.sshj.transport.TransportException: Unable to reach a settlement of Client2ServerCipherAlgorithms: [aes128-cbc, aes128-ctr, aes128-gcm@openssh.com, blowfish-cbc, cast128-cbc, cast128-ctr, idea-cbc, idea-ctr, serpent128-cbc, serpent128-ctr, 3des-cbc, 3des-ctr, twofish128-cbc, twofish128-ctr, arcfour, arcfour128] and [aes192-ctr, aes256-ctr, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com]
2025-04-03 12:42:00.201 [http-nio-9500-exec-5]-ERROR-com.unicom.host.websocket.connection.impl.SSHConnection - TransportException error:net.schmizz.sshj.transport.TransportException: Unable to reach a settlement of Client2ServerCipherAlgorithms: [aes128-cbc, aes128-ctr, aes128-gcm@openssh.com, blowfish-cbc, cast128-cbc, cast128-ctr, idea-cbc, idea-ctr, serpent128-cbc, serpent128-ctr, 3des-cbc, 3des-ctr, twofish128-cbc, twofish128-ctr, arcfour, arcfour128] and [aes192-ctr, aes256-ctr, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com]

The dependencies in my pom.xml are as follows:

		<dependency>
			<groupId>com.hierynomus</groupId>
			<artifactId>sshj</artifactId>
			<version>0.38.0</version>
		</dependency>
		<dependency>
			<groupId>org.bouncycastle</groupId>
			<artifactId>bcprov-jdk15on</artifactId>
			<version>1.69</version> 
		</dependency>

And I have add bouncycastle Provider in my spingboot start class:

Application.java

	public static void main(String[] args) {
		Security.addProvider(new BouncyCastleProvider());
		SpringApplication.run(Application.class, args);
		logger.info(" start success !");
	}

The other infos are as follows:

1. remote linux server: linux
2. remoter linux server ssh version: OpenSSH_X.Xp1, OpenSSL 1.0.2k-fips 26 Jan 2017
3. JDK : 1.8.0_382

As I know , the JDK -1.8.0_382 version has used unlimited JCE.

So anyone have an idea of what is happening, and how fix it?

[ZhouMM92]

@hierynomus

[hierynomus]

As far as I can see, the messages:

2025-04-03 12:42:00.182 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [chacha20-poly1305@openssh.com] disabled: Illegal key size
2025-04-03 12:42:00.182 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [aes192-cbc] disabled: Illegal key size
2025-04-03 12:42:00.182 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [aes192-ctr] disabled: Illegal key size

mean that it's not running with unlimited JCE 🤷‍♂

[ZhouMM92]

As far as I can see, the messages:

2025-04-03 12:42:00.182 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [chacha20-poly1305@openssh.com] disabled: Illegal key size
2025-04-03 12:42:00.182 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [aes192-cbc] disabled: Illegal key size
2025-04-03 12:42:00.182 [http-nio-9500-exec-5]-INFO -net.schmizz.sshj.DefaultConfig - Cipher [aes192-ctr] disabled: Illegal key size

mean that it's not running with unlimited JCE 🤷‍♂

My application runs with a docker in a linux host, the unlimited JCE you mean is the jce of my linux host?

[hierynomus]

No, the docker container should have the unlimited JCE policies, or use for instance OpenJDK which no longer needs that afaik