APAR status
Closed as program error.
Error description
User attempts to connect but the key exchange is rejected. Last part of message received by customers is: debug2: mac_setup: setup hmac-sha1 debug1: kex: server->client aes128-ctr hmac-sha1 none debug2: mac_setup: setup hmac-sha1 debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1536<7680<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP DH_GEX group out of range: 1536 !< 1024 !< 8192 Couldn't read packet: Connection reset by peer
Local fix
STRRTC - 492949 RJ/RJ Circumvention: Update to latest SSP Build
Problem summary
When using the latest version on an SFTP client, such as OpenSSH, it is possible that connections to SSP SFTP adapters will fail with this error: DH_GEX group out of range: 1536 !< 1024 !< 8192.
Problem conclusion
Code has been added to SSP to correctly negotiate a key size during the Diffie Hellman key exchange.
Temporary fix
Comments
APAR Information
APAR number
IT15184
Reported component name
STR SECURE PROX
Reported component ID
5725D0300
Reported release
342
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-05-09
Closed date
2016-05-18
Last modified date
2016-05-18
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
STR SECURE PROX
Fixed component ID
5725D0300
Applicable component levels
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS6PNW","label":"Sterling Secure Proxy"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"342","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]
Document Information
Modified date:
22 May 2025