Issue 3017: Replication error with openssl 1.0.1j
Status:  New
Owner: ----
Reported by Reinhard...@gmail.com, Nov 13, 2014
************************************************************
***** NOTE: THIS BUG TRACKER IS FOR GERRIT CODE REVIEW *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, INTERNAL *****
***** ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC.    *****
***** THOSE ISSUE BELONG IN DIFFERENT ISSUE TRACKERS!  *****
************************************************************

Affected Version:
Gerrit 2.9.1

What steps will reproduce the problem?
1. Install latest ssl / ssh on replication target server (1.0.1j, 6.7p1)
2. Recompile ssl / ssh on that machine and restart sshd server
3.

What is the expected output? What do you see instead?

I expected the replication to continue working, however it failed
Any idea why this is happening and how it can be corrected
Changing ssl / ssh back to 1.0.1i / 6.6p2 resolved the issue, however this is only a temporary solution

Please provide any additional information below.

After switching to the latest ssl/ ssh version on our backup Gerrit server the replication from the primary server failed
There are error messages in the log for the replication plugin and errors in the system log of the receiving machine:

Gerrit log errors:

ERROR com.googlesource.gerrit.plugins.replication.ReplicationQueue : Cannot replicate to ssh://gerrit2@usbrgt01/gitstore/gerrit0/webclient.git
org.eclipse.jgit.errors.TransportException: ssh://gerrit2@usbrgt01/gitstore/gerrit0/webclient.git: Algorithm negotiation fail
        at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:145)
        at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:121)
        at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:248)
        at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:147)
        at com.googlesource.gerrit.plugins.replication.PushOne.listRemote(PushOne.java:500)
        at com.googlesource.gerrit.plugins.replication.PushOne.doPushAll(PushOne.java:444)
        at com.googlesource.gerrit.plugins.replication.PushOne.generateUpdates(PushOne.java:437)
        at com.googlesource.gerrit.plugins.replication.PushOne.pushVia(PushOne.java:383)
        at com.googlesource.gerrit.plugins.replication.PushOne.runImpl(PushOne.java:366)
        at com.googlesource.gerrit.plugins.replication.PushOne.runPushOperation(PushOne.java:271)
        at com.googlesource.gerrit.plugins.replication.PushOne.access$000(PushOne.java:78)
        at com.googlesource.gerrit.plugins.replication.PushOne$1.call(PushOne.java:244)
        at com.googlesource.gerrit.plugins.replication.PushOne$1.call(PushOne.java:241)
        at com.google.gerrit.server.util.RequestScopePropagator$5.call(RequestScopePropagator.java:222)
        at com.google.gerrit.server.util.RequestScopePropagator$4.call(RequestScopePropagator.java:201)
        at com.google.gerrit.server.git.PerThreadRequestScope$Propagator$1.call(PerThreadRequestScope.java:75)
        at com.googlesource.gerrit.plugins.replication.PushOne.run(PushOne.java:241)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
        at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
        at java.util.concurrent.FutureTask.run(FutureTask.java:166)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292)
        at com.google.gerrit.server.git.WorkQueue$Task.run(WorkQueue.java:364)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:724)
Caused by: com.jcraft.jsch.JSchException: Algorithm negotiation fail
        at com.jcraft.jsch.Session.receive_kexinit(Session.java:582)
        at com.jcraft.jsch.Session.connect(Session.java:320)
        at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:116)
        ... 25 more

Receiving machine:
sshd[19802]: fatal: Unable to negotiate a key exchange method [preauth
Nov 14, 2014
#1 Reinhard...@gmail.com
After looking more into the release notes from openssh 6.7p1 I found the following:
The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default
Which algorithm is the replication plugin trying to use?
If needed what would I have to enable to be able to use the replication plugin with the new ssh version?
Is it possible to fix the replication plugin to only use algorithms which are considered safe??
Nov 19, 2014
#2 Reinhard...@gmail.com
Is there a chance to get a reply on this soon?
Unfortunately I cannot make it a major bug which it is in my opinion!
Jan 6, 2015
#3 Reinhard...@gmail.com
Will there ever be a reply for this issue?
It would be great if someone could explain which algorithm the replication plugin is trying to use and how this can be changed / fixed!!