IBM Support

IT00310: SSP SFTP ADAPATER DOES NOT ALLOW "NONE" COMPRESSION WHEN ZLIB COMPRESSION SELECTED IN THE ADAPTER

Direct links to fixes

3.4.1.8-SterlingSecureProxy-Windows-if0009
3.4.1.8-SterlingSecureProxy-SolarisSPARC-if0009
3.4.1.8-SterlingSecureProxy-Linux-if0009
3.4.1.8-SterlingSecureProxy-Linux_S390-if0009
3.4.1.8-SterlingSecureProxy-HP-if0009
3.4.1.8-SterlingSecureProxy-HP-IA-if0009
3.4.1.8-SterlingSecureProxy-AIX-if0009

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The Manual states that when Zlib compression is chosen both
Zlib and None compression are supported but during the Key
exchange on Zlib compression is presented as an option causing
client that do not support Zlib compression to fail

Compression is controlled by the SFTP Advanced Adapter
settings, there are two settings "NONE" and zlib documented as
follows (It's the bit under lined in red that's the probable
root cause of the problem)

The problem is when zlib is chosen then "none" is not sent as a
compression option as seen and I can also recreate the issue.

Select "NONE" as the compression option


Starting a session results in the debug client output showing
"none" being sent in the Key Exchange Init

debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,di
ffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: 3des-cbc
debug2: kex_parse_kexinit: 3des-cbc
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none

and a packet trace shows the "none" coming from the SSP SFTP
Server.



Repeating the exercise with "zlib" compression



This time the Client traces shows only "zlib" being sent as a
compression option

debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,di
ffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: 3des-cbc
debug2: kex_parse_kexinit: 3des-cbc
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96
debug2: kex_parse_kexinit: zlib
debug2: kex_parse_kexinit: zlib

and confirmed as originating from the SSP SFTP Adapter in the
packet trace



The manual states when zlip is chosen then Zlib and None are
supported, however these does not appear to be the case as only
zlib is being returned by SSP as a supported compression method
which will break clients that do not support zlib compression.

SSP should be returning the following Key Exchange Init value

debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib

Local fix

  • STRRTC - 415108
SP/RJ
Circumvention:
Update to latest SSP Build

Problem summary

  • SFTP Zlib compression not allowing NONE
Customer coded zlib compression on their SFTP adapter
configuration  (advanced tab).  Some clients could not connect
because they did not  want to do compression. The documentation
stated that specifying zlib  would allow zlib or NONE.

Problem conclusion

  • Resolution: Added 2 new options to the SFTP compression field:
   zlib,none  - allows zlib or NONE but makes zlib preferred
   none,zlib  - allows zlib or NONE but makes NONE preferred

Temporary fix

  •  Description of issue:
  RTC415108/        (CM, Engine) - SFTP Zlib compression not
allowing NONE
      Customer coded zlib compression on their SFTP adapter
configuration (advanced tab).  Some clients could not connect
because they did not want to do compression. The documentation
stated that specifying zlib would allow zlib or NONE.

 Description of fix:
      Resolution: Added 2 new options to the SFTP compression
field:
         zlib,none  - allows zlib or NONE but makes zlib
preferred
         none,zlib  - allows zlib or NONE but makes NONE
preferred

Comments

  • 



APAR Information




    

  • APAR number
    IT00310
    • 

  • Reported component name
    STR SECURE PROX
    • 

  • Reported component ID
    5725D0300
    • 

  • Reported release
    341
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2014-03-13
    • 

  • Closed date
    2014-03-24
    • 

  • Last modified date
    2014-03-24
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Modules/Macros


    

  •    None
NONE

    



Fix information


    

  • Fixed component name
    STR SECURE PROX
    • 

  • Fixed component ID
    5725D0300
    • 



Applicable component levels


    

  • R341  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6PNW","label":"IBM Sterling Secure Proxy"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"341","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            24 March 2014
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback