[Bug?]: Intermittent connections failing with "crypto/rsa: verification error"

[nzx-jsantaana]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration issue.
• This issue is not already reported on Github (I've searched it).

Bug description

We see intermittent instances of users failing SSH negotiation. They don't even get to authentication; the connection fails somewhere in the SSH handshake, and SFTPGo logs a "crypto/rsa: verification error" message. From the client's point of view, the connection drops unexpectedly.

This problem only occurs rarely (<1% of connections for affected users), and doesn't affect all users. I have not been able to identify any common factors among the users that are affected, and there's no sign that the server is hitting connection limits or is experiencing significant load. Users who experience the problem can reconnect successfully the next time they try, but it tends to trip up semi-automated transfers with poor error handling.

Steps to reproduce

The bug cannot be reliably reproduced, only statistically over a large number of connections.

1. Wait for users to connect a significant number of times.
2. Search the logs for "crypto/rsa: verification error"

Expected behavior

User is able to negotiate the SSH connection and proceed to authentication.

SFTPGo version

2.6.2

Data provider

PostgreSQL

Installation method

Community RPM package

Configuration

Via env.d entries (proxy addresses redacted):

SFTPGO_COMMON__PROXY_PROTOCOL=1
SFTPGO_COMMON__PROXY_ALLOWED="1.1.1.1, 1.1.2.1"
---
SFTPGO_COMMON__UPLOAD_MODE=1
SFTPGO_HTTPD__BINDINGS__0__HIDE_LOGIN_URL=2
SFTPGO_COMMON__MAX_PER_HOST_CONNECTIONS=2000
---
SFTPGO_DATA_PROVIDER__DRIVER=postgresql
SFTPGO_DATA_PROVIDER__NAME=sftpgo
SFTPGO_DATA_PROVIDER__HOST=127.0.0.1
SFTPGO_DATA_PROVIDER__PORT=5432
SFTPGO_DATA_PROVIDER__USERNAME=sftpgo
SFTPGO_DATA_PROVIDER__PASSWORD=*******

Relevant log output

Sep  5 16:50:50 hostname sftpgo[477962]: {"level":"debug","time":"2024-09-05T16:50:50.138","sender":"sftpd","message":"failed to accept an incoming connection from ip \"1.2.3.4\": crypto/rsa: verification error"}
Sep  5 16:50:50 hostname  sftpgo[477962]: {"level":"debug","time":"2024-09-05T16:50:50.138","sender":"connection_failed","client_ip":"1.2.3.4","username":"","login_type":"no_auth_tried","protocol":"SSH","error":"crypto/rsa: verification error"}

What are you using SFTPGo for?

Medium business

Additional info

I realize that this will probably turn out to be an obscure network problem of some sort rather than a bug in SFTPGo, and we are looking into that as well. I raise this issue to ask whether there's anything we can do to get more information out of SFTPGo, or whether it comes down to "the crypto/rsa component throws an error and that's about all we can get".

[drakkan]

Hi, this is a bug that occurs in some edge cases.
I already fixed it for commercial users a few weeks ago, as a community user you have to wait until I have some free time, sorry

[drakkan]

A fix for this we'll be included in the next stable release (no planned date yet)