Error: Unsupported algorithm: arcfour256

Question

Error: Unsupported algorithm: arcfour256

lynchs61 opened this issue 7 months ago · 1 comments

We have our setup for connecting to devices using a socksv5 tunnel as shown below. This has worked for years and has been used to connect to a huge number of devices from AWS lambda functions. Now we're trying to execute a device connection in the same way but from a docker container running alpine linux. It fails saying that the 'arcfour256' is unsupported. I looked through the code that defines whether an algorithm is supported and ran a quick test locally that showed that this cipher is supported. Is there something about the docker environment (or something else) that is making this algorithm unsupported?

const sshKeyExchs = [
    'ecdh-sha2-nistp256',
    'ecdh-sha2-nistp384',
    'ecdh-sha2-nistp521',
    'diffie-hellman-group-exchange-sha256',
    'diffie-hellman-group14-sha256',
    'diffie-hellman-group16-sha512',
    'diffie-hellman-group18-sha512',
    'diffie-hellman-group-exchange-sha1',
    'diffie-hellman-group14-sha1',
    'diffie-hellman-group1-sha1',
];

const sshCiphers = [
    'aes128-gcm',
    'aes128-gcm@openssh.com',
    'aes256-gcm',
    'aes256-gcm@openssh.com',
    'aes128-ctr',
    'aes192-ctr',
    'aes256-ctr',
    '3des-cbc',
    'aes256-cbc',
    'aes192-cbc',
    'aes128-cbc',
    'arcfour256',
    'arcfour128',
    'arcfour',
    'blowfish-cbc',
    'cast128-cbc',
];

clientSSH2.connect({
      sock: socket,
      username: '....'
      password: '.....'
      algorithms: {
        kex: sshKeyExchs,
        cipher: sshCiphers,
      },
   }
)

This is the error and stack trace (since I'm not handling the error properly it crashes)

 throw new Error(`Unsupported algorithm: ${algoList[i]}`);
        ^

Error: Unsupported algorithm: arcfour256
    at generateAlgorithmList (/opt/local/lwc-file-ops-worker/node_modules/ssh2/lib/utils.js:215:15)
    at Client.connect (/opt/local/lwc-file-ops-worker/node_modules/ssh2/lib/client.js:176:30)
    at Client.<anonymous> (/opt/local/lwc-file-ops-worker/node_modules/@jsas/lwc-junos-worker-pkg/src/index.js:962:16)
    at Client.emit (node:events:513:28)
    at Parser.<anonymous> (/opt/local/lwc-file-ops-worker/node_modules/@jsas/socksv5/lib/client.js:136:10)
    at Parser.emit (node:events:513:28)
    at Parser._onData (/opt/local/lwc-file-ops-worker/node_modules/@jsas/socksv5/lib/client.parser.js:198:16)
    at Parser.__onData (/opt/local/lwc-file-ops-worker/node_modules/@jsas/socksv5/lib/client.parser.js:33:10)
    at Socket.emit (node:events:513:28)
    at addChunk (node:internal/streams/readable:324:12)

Answer 1 · 2024-05-10T22:57:44.000Z

You need to pass --openssl-legacy-provider to your node executable (before the script) to re-enable legacy algorithms. This is a change with OpenSSL 3.x.