silc-server-1.1-beta1: 'Unsupported cipher' on connect

jayjwa jayjwa at atr2.ath.cx
Wed Jul 11 19:51:07 CEST 2007 



I gave the 1.1 beta1 server a go. It does not want to compile with 
--disable-ipv6. Leaving this off is OK. The main problem I'm having is with 
clients connecting to the new server; they can't.


12:55 >>> Irssi: Reconnecting to vdrl.ath.cx [192.168.10.76] port 706 - use 
/RMRECONNS to abort
12:55 >>> Irssi: Connection to vdrl.ath.cx established
12:55 >>> Error during key exchange with vdrl.ath.cx: Unsupported cipher
12:55 >>> Irssi: Connection lost to vdrl.ath.cx
12:55 >>> Irssi: Removed reconnection to server vdrl.ath.cx port 706
12:55 >>> Irssi: Looking up vdrl.ath.cx
12:55 >>> Irssi: Reconnecting to vdrl.ath.cx [192.168.10.76] port 706 - use 
/RMRECONNS to abort
12:55 >>> Irssi: Connection to vdrl.ath.cx established
12:55 >>> Error during key exchange with vdrl.ath.cx: Unsupported cipher
12:55 >>> Irssi: Connection lost to vdrl.ath.cx
12:55 >>> Irssi: Removed reconnection to server vdrl.ath.cx port 706
12:55 >>> Irssi: Looking up vdrl.ath.cx
12:55 >>> Irssi: Reconnecting to vdrl.ath.cx [192.168.10.76] port 706 - use 
/RMRECONNS to abort
12:55 >>> Irssi: Connection to vdrl.ath.cx established
12:55 >>> Error during key exchange with vdrl.ath.cx: Unsupported cipher


13:01:38 silc_server_accept_new_connection:2529: Accepting new connection
13:01:38 silc_server_config_ref:1587: Referencing config [0x8168a28] refcnt 
13->14
[Logging] [Info] Incoming connection vdrl.ath.cx (192.168.10.76)
13:01:38 silc_server_accept_new_connection:2634: Starting key exchange 
protocol
13:01:38 silc_ske_alloc:1013: Allocating new Key Exchange object
13:01:38 silc_ske_responder:2416: Start SKE as responder
13:01:38 silc_ske_st_responder_start:1862: Start
13:01:38 silc_ske_st_responder_phase1:1890: Start
13:01:38 silc_ske_st_responder_phase1:1925: Force mutual authentication
13:01:38 silc_ske_st_responder_phase1:1931: Force PFS
13:01:38 silc_ske_select_security_properties:213: Parsing KE Start Payload
13:01:38 silc_ske_select_security_properties:303: Proposed KE group 
`diffie-hellman-group1'
13:01:38 silc_ske_select_security_properties:306: Found KE group 
`diffie-hellman-group1'
13:01:38 silc_ske_select_security_properties:357: Proposed PKCS alg `rsa'
13:01:38 silc_ske_select_security_properties:360: Found PKCS alg `rsa'
13:01:38 silc_ske_select_security_properties:405: Proposed encryption alg 
`aes-256-cbc'
13:01:38 silc_ske_select_security_properties:405: Proposed encryption alg 
`aes-256-ctr'
13:01:38 silc_ske_select_security_properties:405: Proposed encryption alg 
`aes-192-ctr'
13:01:38 silc_ske_select_security_properties:405: Proposed encryption alg 
`aes-128-ctr'
13:01:38 silc_ske_select_security_properties:405: Proposed encryption alg 
`aes-192-cbc'
13:01:38 silc_ske_select_security_properties:405: Proposed encryption alg 
`aes-128-cbc'
13:01:38 silc_ske_select_security_properties:405: Proposed encryption alg 
`twofish-256-cbc'
13:01:38 silc_ske_select_security_properties:405: Proposed encryption alg 
`twofish-192-cbc'
13:01:38 silc_ske_select_security_properties:405: Proposed encryption alg 
`twofish-128-cbc'
13:01:38 silc_ske_select_security_properties:426: Could not find supported 
encryption alg
13:01:38 silc_ske_st_responder_error:2393: Error 4 (Unsupported cipher) during 
key exchange protocol
[Logging] [Error] Error (Unsupported cipher) during Key Exchange protocol with 
vdrl.ath.cx (192.168.10.76)
13:01:38 silc_ske_free:1043: Freeing Key Exchange object
13:01:39 silc_server_disconnect_remote:2842: Disconnecting remote host
[Logging] [Info] Closing connection vdrl.ath.cx:47517 [Unknown]
13:01:39 silc_ske_free:1043: Freeing Key Exchange object



Client used: SILC Client 1.1.1 (Irssi base: 0.8.11+ - SILC base: SILC 1.1.1) 
(20070628 20070628)

According to the client,
aes-256-cbc,
aes-256-ctr,
aes-192-ctr,
aes-128-ctr,
aes-192-cbc,
aes-128-cbc,
twofish-256-cbc,
twofish-192-cbc,
twofish-128-cbc

are supported. Key was:

Public key file    : .silc/jayjwa-silc.pub
Algorithm          : rsa
Key length (bits)  : 2048
Real name          : jayjwa
Username           : jayjwa
Hostname           : vdrl.ath.cx
Email              : jayjwa at vdrl.ath.cx
Fingerprint (SHA1) : 634B 1EF7 E44C 32B7 2A14  C4D5 A671 8E15 0BFD 573A
Babbleprint (SHA1) : 
ximog-ryluz-lynag-sisar-lopuc-gicut-hunil-cofac-hadez-tehaf-pexax


/SET option shows:

crypto_default_cipher = aes-256-cbc
crypto_default_hash = sha1

Maybe I should make a new key, but option of 'cipher' is never given, and I 
again get
Algorithm          : rsa

which is not in the list:

aes-256-cbc,
aes-256-ctr,
aes-192-ctr,
aes-128-ctr,
aes-192-cbc,
aes-128-cbc,
twofish-256-cbc,
twofish-192-cbc,
twofish-128-cbc

(unless I'm misunderstanding silc keys/algorithms/ciphers?)

[ jayjwa at vdrl:~>] silc --create-key-pair

New pair of keys will be created.  Please, answer to following questions.
PKCS name (l to list names) [rsa]:
Key length in key_len_bits [2048]:
Identifier [UN=jayjwa, HN=vdrl.ath.cx, RN=jayjwa, E=jayjwa at vdrl.ath.cx]:
Public key filename [public_key.pub]: jayjwa-silc.pub
Private key filename [private_key.prv]: jayjwa-silc.prv
Private key passphrase:
Retype private key passphrase:
Generating the key pair...
Public key has been saved into `jayjwa-silc.pub'.
Private key has been saved into `jayjwa-silc.prv'.
Press <Enter> to continue...

[ jayjwa at vdrl:~>] silc --show-key=jayjwa-silc.pub
Public key file    : jayjwa-silc.pub
Algorithm          : rsa
Key length (bits)  : 2048
Real name          : jayjwa
Username           : jayjwa
Hostname           : vdrl.ath.cx
Email              : jayjwa at vdrl.ath.cx
Fingerprint (SHA1) : CD61 ADB1 95CE DD21 4378  0C35 4E3B 29A2 4EBC AF14
Babbleprint (SHA1) : 
xufek-coryr-cohes-volad-cobol-myfof-hefif-rypyp-defyr-suric-gexax


The new key also fails:

13:28 >>> Irssi: Looking up vdrl.ath.cx
13:28 >>> Irssi: Reconnecting to vdrl.ath.cx [192.168.10.76] port 706 - use 
/RMRECONNS to abort
13:28 >>> Irssi: Unable to connect server vdrl.ath.cx port 706 [Connection 
refused]
13:28 >>> Irssi: Removed reconnection to server vdrl.ath.cx port 706
13:28 >>> Irssi: Looking up vdrl.ath.cx
13:28 >>> Irssi: Reconnecting to vdrl.ath.cx [192.168.10.76] port 706 - use 
/RMRECONNS to abort
13:28 >>> Irssi: Unable to connect server vdrl.ath.cx port 706 [Connection 
refused]
13:28 >>> Irssi: Removed reconnection to server vdrl.ath.cx port 706
13:28 >>> Irssi: Looking up vdrl.ath.cx
13:28 >>> Irssi: Reconnecting to vdrl.ath.cx [192.168.10.76] port 706 - use 
/RMRECONNS to abort
13:28 >>> Irssi: Unable to connect server vdrl.ath.cx port 706 [Connection 
refused]
13:28 >>> Irssi: Removed reconnection to server vdrl.ath.cx port 706


Changing ciphers with /SET doesn't seem to help, either.

crypto_default_cipher = twofish-256-cbc

13:30 >>> Irssi: Looking up vdrl.ath.cx
13:30 >>> Irssi: Connecting to vdrl.ath.cx [192.168.10.76] port 706
13:30 >>> Irssi: Unable to connect server vdrl.ath.cx port 706 [Connection 
refused]
13:30 >>> Irssi: Removed reconnection to server vdrl.ath.cx port 706
13:30 >>> Irssi: Looking up vdrl.ath.cx
13:30 >>> Irssi: Reconnecting to vdrl.ath.cx [192.168.10.76] port 706 - use 
/RMRECONNS to abort
13:30 >>> Irssi: Unable to connect server vdrl.ath.cx port 706 [Connection 
refused]

I replaced both server and client keys, but it did not seem to make a 
difference.

More information about the silc-users mailing list