Info: Supported SSH Ciphers, HMACs, Key Exchanges, and Public Keys

Applies To: 

Venafi Trust Protection Platform 22.1 and higher


Venafi Trust Protection Platform uses outbound SSH communication for the TLS Protect and SSH Protect products for:

TLS Protect

  • Agentless Push Provisioning of TLS certificates to target systems
  • Onboard Discovery of target systems to find TLS Certificates
  • Management of Certificate Trust Stores on target systems
  • Daily Installation Validation of TLS certificates to ensure the correct certificate is installed on the expected target system with expected configuration

SSH Protect

  • Agentless Discovery of User Private Keys, Server Private Keys, Authorized Key files, and Known Host files
  • Agentless rotation of User and Server Private Keys and updating the authorized key and known host files.
  • Agentless installation and rotation of SSH Certificates

The available Ciphers, HMACs, Key Exchanges, and Public Keys available to establish a successful SSH connection is dependent upon a number of facts:

  • SSH configuration and support of the target system
  • Version of Trust Protection Platform (namely are you on 22.1 or higher or 21.4 or lower?)
  • Do you have Common Criteria Compliant registry values enabled?
    See end of this article for more detail

Information about the Table below: New HMACs, Key Exchanges, and Public Keys that were added in Trust Protection Platform 22.1 are denoted below.  These additions are not available for backport or patching to previous versions.



SSH Identifier

New in 22.1+





3des-cbc     ✔️  
  aes128-cbc   ✔️ ✔️  
  aes192-cbc     ✔️  
  aes256-cbc   ✔️ ✔️  
  3des-ctr     ✔️  
  aes128-ctr   ✔️ ✔️ RFC 4344
  aes192-ctr     ✔️  
  aes256-ctr   ✔️ ✔️ RFC 4344


hmac-sha2-256   ✔️ ✔️ RFC 6668
  hmac-sha2-256-etm ✔️   ✔️  
  hmac-sha2-384     ✔️  
  hmac-sha2-512   ✔️ ✔️ RFC 6668
  hmac-sha2-512-etm ✔️   ✔️  
  hmac-sha1     ✔️  

Key Exchanges

curve25519-sha256 ✔️ ✔️ ✔️ RFC 8731 ✔️   ✔️  
  curve448-sha512 ✔️ ✔️   RFC 8731
  ecdh-sha2-nistp256 ✔️ ✔️ ✔️ RFC 5656
  ecdh-sha2-nistp384 ✔️ ✔️ ✔️ RFC 5656
  ecdh-sha2-nistp521 ✔️ ✔️ ✔️ RFC 5656
  diffie-hellman-group18-sha512   ✔️ ✔️ RFC 8268
  diffie-hellman-group16-sha512   ✔️ ✔️ RFC 8268
  diffie-hellman-group14-sha256   ✔️ ✔️ RFC 8268
  diffie-hellman-group14-sha1     ✔️  
  diffie-hellman-group1-sha1     ✔️  

Public Keys

ssh-rsa   ✔️ ✔️  
  rsa-sha2-256 ✔️ ✔️ ✔️ RFC 8332
  rsa-sha2-512 ✔️ ✔️ ✔️ RFC 8332
  ecdsa-sha2-nistp256   ✔️ ✔️ RFC 5656
  ecdsa-sha2-nistp384   ✔️ ✔️ RFC 5656
  ecdsa-sha2-nistp521   ✔️ ✔️ RFC 5656
  ssh-ed25519   ✔️ ✔️ RFC 8709

Note: In earlier versions of Trust Protection Platform, hmac-sha1 and diffie-hellman-group14-sha1 were enabled in Common Criteria mode.  These have been removed from the Common Criteria list in TPP versions 22.1 or higher. Also, hmac-ripemd160 was removed completely in 22.1.

Common Criteria Compliance:

In order to configure Venafi Trust Protection Platform to only use Common Criteria compliant SSH algorithms for outbound SSH communication, you must:

Put the following lines in Windows Notepad and save as a *.reg file

Windows Registry Editor Version 5.00

"Common Criteria Compliant"=dword:00000001

You must apply the registry file to all Venafi Servers in your environment.

Error Scenario:

If you see an error message similar to the one below, you need to upgrade Trust Protection Platform to 22.1 or higher.

The SSH library failed to connect to {Target System} on port 22, with the Connection Result 9: Failed to negotiate a transport component [diffie-hellman-group14-sha1] [curve25519-sha256]

This message indicates that Trust Protection Platform could not find an algorithm that was supported by both TPP and the remote server.


Was this article helpful?
0 out of 0 found this helpful