Specify cipher from command line :: Support Forum

kbecker
Joined:: 2025-04-09
Posts:: 4
Location:: Wisconsin

Specify cipher from command line

2025-04-09 16:40

I need WinSCP to use an AES GCM cipher when connecting to a host. Here is the command line that is executed. I have tried specifying both GCM and CTR ciphers but the log file shows that the cipher WinSCP uses is not affected by what is on the command line.

"C:\Program Files (x86)\WinSCP\WinSCP.exe" /ciphers=aes256-gcm@openssh.com,aes128-gcm@openssh.com /log="E:\logs\WinSCP_UATTest_%date:~10,4%%date:~4,2%%date:~7,2%__%time:~0,2%%time:~3,2%%time:~6,2%.log" /script="E:\Scripts\Test_UAT.params"

Another example trying to force AES CTR. Again, the log file shows that WinSCP ignores the ciphers parameter.

"C:\Program Files (x86)\WinSCP\WinSCP.exe" /ciphers=aes256-ctr /log="E:\logs\WinSCP_UATTest_%date:~10,4%%date:~4,2%%date:~7,2%__%time:~0,2%%time:~3,2%%time:~6,2%.log" /script="E:\Scripts\Test_UAT.params"

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,929
Location:: Prague, Czechia

Re: Specify cipher from command line

2025-04-10

WinSCP does not support selecting a specific cipher for TLS/SSL.
Why do you need it?

Reply with quote

kbecker
Joined:: 2025-04-09
Posts:: 4
Location:: Wisconsin

Re: Specify cipher from command line

2025-04-10 14:36

We are connecting to the host with SFTP for the file protocol. Under Advanced settings there is a section for the SSH protocol where you can arrange the order of the ciphers.

I need to do something similar from the command line.

When we connect to our current host, it uses AES-CTR. The host says they will no longer support that protocol and we have to use AES-GCM. I am trying to start using GCM now but do not know how to force it.

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,929
Location:: Prague, Czechia

Re: Specify cipher from command line

2025-04-10

Sorry, I've misread your original post.
For SFTP/SSH cipher, use Cipher settings:
https://winscp.net/eng/docs/rawsettings#cipher
The easiest is to have the GUI generate a script template for you:
https://winscp.net/eng/docs/ui_generateurl

Reply with quote

kbecker
Joined:: 2025-04-09
Posts:: 4
Location:: Wisconsin

2025-04-10 14:59

Thanks for that. I was using /ciphers, not /cipher.

However, I still cannot get it to work. Here are some sections from the log file.

. 2025-04-10 08:54:55.003 Command-line: "C:\Program Files (x86)\WinSCP\WinSCP.exe"  /ini=nul /cipher=chacha20,WARN,aes,aesgcm /log="E:\JPM\logs\WinSCP_UATTest_20250410__ 85453.log" /script="E:\JPM\Scripts\Test_UAT.params"
. 2025-04-10 08:54:55.003 Transfer Protocol: SFTP
. 2025-04-10 08:54:55.003 Ping type: Off, Ping interval: 30 sec; Timeout: 15 sec
. 2025-04-10 08:54:55.003 Disable Nagle: No
. 2025-04-10 08:54:55.003 Proxy: None
. 2025-04-10 08:54:55.003 Send buffer: 262144
. 2025-04-10 08:54:55.003 Compression: No
. 2025-04-10 08:54:55.003 Bypass authentication: No
. 2025-04-10 08:54:55.003 Try agent: Yes; Agent forwarding: No; KI: Yes; GSSAPI: Yes
. 2025-04-10 08:54:55.003 GSSAPI: KEX: No; Forwarding: No; Libs: gssapi32,sspi,custom; Custom: 
. 2025-04-10 08:54:55.003 Ciphers: aes,chacha20,aesgcm,3des,WARN,des,blowfish,arcfour; Ssh2DES: No
. 2025-04-10 08:54:55.003 SSH Bugs: Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto
. 2025-04-10 08:54:55.003 Simple channel: Yes
< 2025-04-10 08:54:55.112 Script: Connecting to host...
. 2025-04-10 08:54:55.112 We claim version: SSH-2.0-WinSCP_release_6.5
. 2025-04-10 08:54:55.159 Remote version: SSH-2.0-SSHD
. 2025-04-10 08:54:55.159 Using SSH protocol version 2
. 2025-04-10 08:54:55.159 Have a known host key of type rsa2
. 2025-04-10 08:54:55.159 Enabling strict key exchange semantics
. 2025-04-10 08:54:55.174 Doing ECDH key exchange with curve Curve25519, using hash SHA-256
< 2025-04-10 08:54:55.315 Script: Authenticating...
. 2025-04-10 08:54:55.315 Host key matches configured key fingerprint
. 2025-04-10 08:54:55.315 Initialised AES-128 GCM (AES-NI accelerated) [aes128-gcm@openssh.com] outbound encryption
. 2025-04-10 08:54:55.315 Initialised AES-GCM (unaccelerated) outbound MAC algorithm (in ETM mode) (required by cipher)
. 2025-04-10 08:54:55.315 Initialised AES-128 GCM (AES-NI accelerated) [aes128-gcm@openssh.com] inbound encryption
. 2025-04-10 08:54:55.315 Initialised AES-GCM (unaccelerated) inbound MAC algorithm (in ETM mode) (required by cipher)

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,929
Location:: Prague, Czechia

2025-04-14

I haven't suggested using any /cipher.
If follow my advice above, you should arrive at syntax like this:

open sftp://user@example.com/ -rawsettings Cipher="aes,aesgcm,WARN,chacha20,3des,des,blowfish,arcfour"

Reply with quote

kbecker

Re: Specify cipher from command line

2025-04-14 13:30

Thanks Martin. I was putting that option on the command line. Added it to the params file and it works.

_________________
Thanks and have a great day!
Ken

Reply with quote

Specify cipher from command line