Hi, +-From: Antoine Levy Lambert <anto...@gmx.de> -- |_Date: Thu, 21 Feb 2013 21:52:37 -0500 ________ | |I am using Jsch with the ant <sshexec/> task. Under Java 1.6 I never had |a problem. Our company recently migrated to Java 1.7 |We are getting often - maybe once in 100 invocations - a failure with a |"verify: false" error.
We have found that the following environments do not have any "verify: false" error in 10,000 invocations, * java6u16 * java6u41 * java7(jdk1.7.0) * java7u3 * java7u5 , and we have been able to reproduce about 20 "verify: false" errors in 10,000 invocations on the following environments, * java7u6 * java7u7 * java7u15 It seems JCE included in Java7u6(and later) has suddenly changed its behavior. Please try following version, http://www.jcraft.com/jsch/jsch-0.1.50-rc1.zip We have confirmed this version can make 10,000 connections without any "verify: false" errors on Java7u15. If you are not interested in what had happed behind the scene, please ignore the following descriptions. The error "verify: false" means the failure of the key-exchange. In the ssh protocol, at the initial of the connection, the key-exchange will be done to have a shared secret between client and server. # As you know, that shared secret will be used to cipher/decipher the packet. For the key-exchange, the ssh protocol has adopted Diffie-Hellman key exchange , and, for that purpose, jsch has used JCE's API, byte[] javax.crypto.KeyAgreement#generateSecret() This method will return a two's complement bit image as a BigInteger value. I don't know the reason, but Java7u6 has changed its implementation. For example, suppose that you have 0x01 as a shared secret, that method of Java7u5 had returned a byte array {(byte)0x01}, and , on the other hand, Java7u6 has returned a byte array {(byte)0, (byte)0x01}. >From the calculus of BigInteger point of view, {(byte)0x01} and {(byte)0, (byte)0x01} represent 0x01, but it is not good for a shared secret, because sshd must have {(byte)0x01} as a shared secret. In the above fixed jsch version, {(byte)0, (byte)0x01} will be normalized as {(byte)0x01} before continuing the processing. Sincerely, -- Atsuhiko Yamanaka JCraft,Inc. 1-14-20 HONCHO AOBA-KU, SENDAI, MIYAGI 980-0014 Japan. Tel +81-22-723-2150 Skype callto://jcraft/ Twitter: http://twitter.com/ymnk Facebook: http://facebook.com/aymnk ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ JSch-users mailing list JSch-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jsch-users
