SNMP v3 get with SHA or MD5 authentication and AES 192 or 256 encryption results in an error.

[f1gm3nt3d]

I'm working against snmpd from Net-Snmp 5.9.3 on Ubuntu 23.10. Every manager I've tried fails to retrieve a variable from the agent with a combination of either SHA (as in SHA-1) or MD5 as the auth protocol and Aes256 as the privacy protocol.

The error being recorded in syslog is: security service 3 error parsing ScopedPDU.

Any combination of authentication and privacy protocols that do not require key expansion work correctly and my Managers can receive traps from snmpd using the SHA/MD5 and AES256 combo just fine. It is only an issue when snmpd is receiving a message with that combo.

Using SnmpGet with SHA/MD5 and AES 192/256 on the same machine also fails.

I've tested this against a different agent and my managers and snmpget are able to retrieve variables from it with the SHA/AES256 combo. In addition, Wireshark is also able to authenticate, decrypt, and parse the messages correctly.

[fenner]

I recommend avoiding combinations that require key expansion altogether.

There are two different key expansion mechanisms in common use. net-snmp represents one of them as, e.g., "AES256", and the other as, e.g., "AES256C". You should try creating your user with the "other" mechanism and see if you get better results.