Key exchange failed, how to clear cache?
Posted: 2020-02-10 19:13
Hey everybody, first time posting here, and hoping someone can point me in the right direction.
So at work we had to make some changes on our SFTP server for PCI DSS 3.2 compliance, which included removing things such as hmac-md5, hmac-md5-96, hmac-sha1, and hmac-sha1-96 hashing algorithms, 3des-cbc, blowfish-cbc, and cast128-cbc encryption algorithms, and diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1 key exchange algorithms.
We performed this over the weekend during a maintenance period, and I was able to successfully connect to the server after the change. However, we had a number of clients that couldn't connect this morning. They were reporting "key exchange failed" errors. We went and rolled back the changes, and they were able to connect again. My running theory is that they had one of the removed key exchanges cached, and failed when trying to connect using those removed algorithms. I figured it would go on to a higher encryption algorithm instead of failing, but here we are.
Has anyone had a similar problem when updating their algorithms? Is there an easy way to clear out that cache?
So at work we had to make some changes on our SFTP server for PCI DSS 3.2 compliance, which included removing things such as hmac-md5, hmac-md5-96, hmac-sha1, and hmac-sha1-96 hashing algorithms, 3des-cbc, blowfish-cbc, and cast128-cbc encryption algorithms, and diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1 key exchange algorithms.
We performed this over the weekend during a maintenance period, and I was able to successfully connect to the server after the change. However, we had a number of clients that couldn't connect this morning. They were reporting "key exchange failed" errors. We went and rolled back the changes, and they were able to connect again. My running theory is that they had one of the removed key exchanges cached, and failed when trying to connect using those removed algorithms. I figured it would go on to a higher encryption algorithm instead of failing, but here we are.
Has anyone had a similar problem when updating their algorithms? Is there an easy way to clear out that cache?