EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Problem on cipher negotiation (FTP)

Posted: 10/21/2014 06:11:53
by Rosso (Basic support level)
Joined: 04/03/2014
Posts: 18

Thank you for the reply,


instead of:

this.Client.Versions = SBSSLConstants.Unit.sbTLS12;

is should do:

this.Client.Versions = (SBSSLConstants.Unit.sbTLS1 | SBSSLConstants.Unit.sbTLS11 | SBSSLConstants.Unit.sbTLS12);


I`am using the .NET components (
Posted: 10/21/2014 06:22:22
by Ken Ivanov (Team)

Yes, that's right. Does it work for you in this way?

Posted: 10/21/2014 06:48:36
by Rosso (Basic support level)
Joined: 04/03/2014
Posts: 18

Not really.

I still must remove the !SSLv3 tag from the cipher rule.
Otherwise i can`t connect.

When i remove the !SSLv3 tag, i get: DHE-RSA-AES256-SHA as cipher.
I really don`t want to use SHA1 cipher.
Posted: 10/21/2014 07:56:04
by Ken Ivanov (Team)

Hi Rosso,

Right, thank you for checking that.

OK, let's try to summarise what we have for now before proceeding to pinpointing the issue. First, please remove all cipher suite limitations on the server and keep SSL3 and TLS1 enabled (HIGH:+TLSv1:!SSLv2) and check if the component is able to connect to the server.

Now, please introduce the !SSLv3 flag to the above line. Is the component still able to connect?

Posted: 10/21/2014 08:52:02
by Rosso (Basic support level)
Joined: 04/03/2014
Posts: 18

RESULT: SSL/TLS: Enabled TLSv1/SSLv3 with DHE-RSA-AES256-SHA, 256 secret bits cipher

RESULT: SSL/TLS: Enabled TLSv1/SSLv3 with ADH-AES256-GCM-SHA384, 256 secret bits cipher

But ADH is for sure not an option :)
Posted: 10/21/2014 09:11:51
by Ken Ivanov (Team)

No worries, it was just a trial and no-one is ever going to encourage you to use anonymous ciphers :).

Thank you for checking that anyway. The server is apparently coming up with an irrelevant error message if sets of cipher suites supported by client and server do not intersect.

What we will try to do now is tune up the client-side cipher suites so that they matched those on the server. In fact, I am a bit surprised that an anonymous cipher suite was negotiated, as all such cipher suites are disabled by default. We will have a look into the code to figure out how this could have happened.

Meanwhile, please do the following before calling the Open() method of the client:

1. Switch off all the ciphersuites:

for (int i = SBSSLConstants.Unit.SB_SUITE_FIRST; i <= SBSSLConstants.Unit.SB_SUITE_LAST; i++)
    client.set_CipherSuites(i, false);

2. Enable the cipher suites that are enabled on the server:

client.set_CipherSuites(SBSSLConstants.Unit.SB_SUITE_ECDHE_RSA_AES256_GCM_SHA384, true);
client.set_CipherSuites(SBSSLConstants.Unit.SB_SUITE_ECDHE_ECDSA_AES256_GCM_SHA384, true);
client.set_CipherSuites(SBSSLConstants.Unit.SB_SUITE_DHE_RSA_AES256_SHA256, true);

Please check if tuning the components as specified above helps.

Posted: 10/21/2014 09:55:13
by Rosso (Basic support level)
Joined: 04/03/2014
Posts: 18

Ok this seems to work now.

I can use

I think the EC* are currently not supported by pureftpd.

I don`t know but, maybe it would be a good idea to change the priorities of the ciphers in SBB?

Thank you for the help! it made me crazy .... :)
Posted: 10/21/2014 10:06:43
by Ken Ivanov (Team)

Great, thank you for confirming that.

In order for EC* cipher suites to be usable, the server software should be adequately configured (with ECDHE and/or ECDSA key pairs provided). So it is possible and likely that even a particular OpenSSL-based implementation might not support them.

There will be some re-work in default configuration of SecureBlackbox SSL subsystem following consequences of POODLE attack recognition for the market. I guess these changes will also include certain rearrangement of cipher suite configuration.




Topic viewed 5176 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!