On April 2, 2025, we will update the SFTP connection library to Apache MINA SSHD for improved security.
Overview
On April 2, 2025, we're updating the SFTP connection library to Apache MINA SSHD. This change will improve security and compliance by supporting a wider range of key exchange algorithms, ciphers, and MACs in line with Federal Information Processing Standard (FIPS) 140-2 guidelines.
This change may impact the connection between Fuse and the SFTP servers you connect with in the Delivery Destination (SFTP-type). If the SFTP server does not support at least one of the of the newly listed algorithms (Key-exchange, ciphers, MAC, and Host key type), you may encounter an error when testing the existing SFTP connection in a Delivery Destination. The error message will be: "Unable to negotiate key exchange for encryption algorithms to the SFTP host <HostName>."
Action Required: Check for SFTP Delivery Types
- Navigate to Menu > Settings > Global Setup > Delivery Destinations
- Check for the Delivery Type of SFTP. Use the magnifying glass icon to see recent history for this delivery.
- If you do not have any deliveries currently using SFTP, you don't need to do anything else.
- If you do have SFTP deliveries, you will need to forward this article to whoever on IT owns each delivery.
Check your SFTP Server's Support Algorithms
- The SFTP server should support at least one of each of Key-exchange algorithm, Ciphers, MAC, and Host key type.
- Contact your IT team or your SFTP server provider's IT team to determine which key exchange algorithms are supported by your SFTP server and the strength of RSA-type keys for authentication they support.
Supported Algorithms
If your SFTP server does not support at least one algorithm from each category listed above, you must ask your SFTP server provider to upgrade to a compatible version.
|
Category |
Currently Supported Algorithms |
Future Supported Algorithms |
|
Key-exchange |
curve25519-sha256 |
|
|
curve448-sha512 |
||
|
diffie-hellman-group14-sha1 (deprecates with update) |
||
|
diffie-hellman-group14-sha256 |
||
|
diffie-hellman-group15-sha512 |
||
|
diffie-hellman-group16-sha512 |
||
|
diffie-hellman-group17-sha512 |
||
|
diffie-hellman-group18-sha512 |
||
|
diffie-hellman-group-exchange-sha256 |
diffie-hellman-group-exchange-sha256 |
|
|
ecdh-sha2-nistp256 |
ecdh-sha2-nistp256 |
|
|
ecdh-sha2-nistp384 |
ecdh-sha2-nistp384 |
|
|
ecdh-sha2-nistp521 |
ecdh-sha2-nistp521 |
|
|
ecdsa-sha2-nistp256 (deprecates with update) |
||
|
ecdsa-sha2-nistp384 (deprecates with update) |
||
|
ecdsa-sha2-nistp521 (deprecates with update) |
||
|
Ciphers |
blowfish-cbc (deprecates with update) |
|
|
3des-cbc (deprecates with update) |
||
|
aes128-cbc |
aes128-cbc |
|
|
aes192-cbc |
aes192-cbc |
|
|
aes256-cbc |
aes256-cbc |
|
|
aes128-ctr |
aes128-ctr |
|
|
aes192-ctr |
aes192-ctr |
|
|
aes256-ctr |
aes256-ctr |
|
|
3des-ctr (deprecates with update) |
||
|
arcfour (deprecates with update) |
||
|
arcfour128 (deprecates with update) |
||
|
arcfour256 (deprecates with update) |
||
|
MAC |
hmac-md5 (deprecates with update) |
|
|
hmac-md5-96 (deprecates with update) |
||
|
hmac-sha1 |
hmac-sha1 |
|
|
hmac-sha1-96 (deprecates with update) |
||
|
hmac-sha2-256 |
||
|
hmac-sha2-512 |
||
|
Host key type |
ecdsa-sha2-nistp256 |
ecdsa-sha2-nistp256 |
|
ecdsa-sha2-nistp384 |
ecdsa-sha2-nistp384 |
|
|
ecdsa-sha2-nistp521 |
ecdsa-sha2-nistp521 |
|
|
rsa-sha2-256 |
||
|
rsa-sha2-512 |
||
|
ssh-ed25519 |
||
|
ssh-rsa |
ssh-rsa |
|
|
ssh-dss (deprecates with update) |
- Key Strength Upgrade: "Generate Keys" button will generate RSA 4096-bit keys for SSH Keys Authentication or Mixed Authentication.
- Existing Connections (Existing SFTP Delivery Destinations): If you're using an SFTP-type Delivery Destination with SSH Keys Authentication or Mixed Authentication established before the upgrade, you'll continue to use the previously generated RSA 2048-bit key and will not be affected.
- New Connections (New SFTP Delivery Destinations): If you create a new SFTP-type Delivery Destination with SSH Keys Authentication or Mixed Authentication after the upgrade, when you Generate Keys an RSA 4096-bit key will be generated. If your SFTP server does not support RSA 4096-bit keys, you will need to upgrade the SFTP server or use Password Authentication