EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Problem on cipher negotiation (FTP)

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#31064
Posted: 10/21/2014 06:11:53
by Rosso (Basic support level)
Joined: 04/03/2014
Posts: 18

Thank you for the reply,

so

instead of:

Code
this.Client.Versions = SBSSLConstants.Unit.sbTLS12;


is should do:

Code
this.Client.Versions = (SBSSLConstants.Unit.sbTLS1 | SBSSLConstants.Unit.sbTLS11 | SBSSLConstants.Unit.sbTLS12);


?

I`am using the .NET components (12.0.261.0)
#31065
Posted: 10/21/2014 06:22:22
by Ken Ivanov (EldoS Corp.)

Yes, that's right. Does it work for you in this way?

Ken
#31068
Posted: 10/21/2014 06:48:36
by Rosso (Basic support level)
Joined: 04/03/2014
Posts: 18

Not really.

I still must remove the !SSLv3 tag from the cipher rule.
Otherwise i can`t connect.


When i remove the !SSLv3 tag, i get: DHE-RSA-AES256-SHA as cipher.
I really don`t want to use SHA1 cipher.
#31077
Posted: 10/21/2014 07:56:04
by Ken Ivanov (EldoS Corp.)

Hi Rosso,

Right, thank you for checking that.

OK, let's try to summarise what we have for now before proceeding to pinpointing the issue. First, please remove all cipher suite limitations on the server and keep SSL3 and TLS1 enabled (HIGH:+TLSv1:!SSLv2) and check if the component is able to connect to the server.

Now, please introduce the !SSLv3 flag to the above line. Is the component still able to connect?

Ken
#31080
Posted: 10/21/2014 08:52:02
by Rosso (Basic support level)
Joined: 04/03/2014
Posts: 18

WITH: HIGH:+TLSv1:!SSLv2
RESULT: SSL/TLS: Enabled TLSv1/SSLv3 with DHE-RSA-AES256-SHA, 256 secret bits cipher

WITH: HIGH:+TLSv1:!SSLv2:!SSLv3
RESULT: SSL/TLS: Enabled TLSv1/SSLv3 with ADH-AES256-GCM-SHA384, 256 secret bits cipher


But ADH is for sure not an option :)
#31081
Posted: 10/21/2014 09:11:51
by Ken Ivanov (EldoS Corp.)

No worries, it was just a trial and no-one is ever going to encourage you to use anonymous ciphers :).

Thank you for checking that anyway. The server is apparently coming up with an irrelevant error message if sets of cipher suites supported by client and server do not intersect.

What we will try to do now is tune up the client-side cipher suites so that they matched those on the server. In fact, I am a bit surprised that an anonymous cipher suite was negotiated, as all such cipher suites are disabled by default. We will have a look into the code to figure out how this could have happened.

Meanwhile, please do the following before calling the Open() method of the client:

1. Switch off all the ciphersuites:

Code
for (int i = SBSSLConstants.Unit.SB_SUITE_FIRST; i <= SBSSLConstants.Unit.SB_SUITE_LAST; i++)
{
    client.set_CipherSuites(i, false);
}


2. Enable the cipher suites that are enabled on the server:

Code
client.set_CipherSuites(SBSSLConstants.Unit.SB_SUITE_ECDHE_RSA_AES256_GCM_SHA384, true);
client.set_CipherSuites(SBSSLConstants.Unit.SB_SUITE_ECDHE_ECDSA_AES256_GCM_SHA384, true);
client.set_CipherSuites(SBSSLConstants.Unit.SB_SUITE_DHE_RSA_AES256_SHA256, true);
...


Please check if tuning the components as specified above helps.

Ken
#31083
Posted: 10/21/2014 09:55:13
by Rosso (Basic support level)
Joined: 04/03/2014
Posts: 18

Ok this seems to work now.

I can use
Code
SBSSLConstants.Unit.SB_SUITE_DHE_RSA_AES256_SHA256
.

I think the EC* are currently not supported by pureftpd.


I don`t know but, maybe it would be a good idea to change the priorities of the ciphers in SBB?




Thank you for the help! it made me crazy .... :)
#31084
Posted: 10/21/2014 10:06:43
by Ken Ivanov (EldoS Corp.)

Great, thank you for confirming that.

In order for EC* cipher suites to be usable, the server software should be adequately configured (with ECDHE and/or ECDSA key pairs provided). So it is possible and likely that even a particular OpenSSL-based implementation might not support them.

There will be some re-work in default configuration of SecureBlackbox SSL subsystem following consequences of POODLE attack recognition for the market. I guess these changes will also include certain rearrangement of cipher suite configuration.

Ken
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 4095 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!