Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

SoCal

Same problem with RSA

Very good, thanks so much for your help.
SoCal

Re: Same problem with RSA

martin wrote:

Please try 5.8.3 RC. It will provide more details in the error message.


Here's the 5.8.3 RC log; it does indeed appear to be the same problem ("dh key too small"). I can provide this log to the partner but I'm still not sure exactly what to tell him in terms of upgrading his server.
martin

Re: Same problem with RSA

Please try 5.8.3 RC. It will provide more details in the error message.
SoCal

Same problem with RSA

Hello,

I'm trying to use WinSCP v5.7.7 to connect to a partner and am experiencing the same problem described in this thread. I relayed the thread to my contact at the partner and was told "Our certs are RSA 2048 bit. We are not going to be able to reissue our SSL certificates." In initial testing I used an older version of WinSCP successfully with this partner (unfortunately I don't know which version it was). Upon upgrading to v5.7.7 I encountered the error.

Although it seems likely, I don't know enough about encryption to know if the fact that their certificates are RSA means they are not using a DH key. As such I am having trouble advising the partner on what they need to do to make their server work with WinSCP v5.7.7.

Can you advise on how I can figure out what cipher they are using and what their key length is? I would like to advise the partner on how to configure their installation so as to support WinSCP v5.7.7 but don't know what to tell them, other than having referred them to this thread.

I'm running WinSCP from a command line, with a script file.

Thanks in advance.
martin

Re: alas, still not working

It's misunderstanding. WinSCP uses OpenSSL. Upgrading OpenSSL on the server side does not help. They need to upgrade their FTP server DH key to 1024-bit at least to be able to talk to clients using the latest OpenSSL version.

My email address is in my forum profile.
cooch17

alas, still not working

Box updated to openSSL 1.0.1s (I believe), but I'm still getting the error. See attached session log (debug level 2).

At this point, it might make more sense for you to work directly with Box.com. If you PM me, I can put you in touch with the right people.
cooch17

Re: SSL/TLS problem | 5.7.7 | cloud service

martin wrote:

I did some debugging. WinSCP agrees on DH key exchange with the ftp.box.com. But the ftp.box.com offers 768 bits key only.

Since OpenSSL 1.0.1r/1.0.2f, the OpenSSL requires 1024 bit key unconditionally:
https://github.com/openssl/openssl/commit/a4530ce0398d673b25a15b72a18dee1d8b14c07d

Please advice the box.com to upgrade their key.

The next version will include "dh key too small" message in the error.


Thank you very much -- I will pass that along to the engineers at box.com
martin

Re: SSL/TLS problem | 5.7.7 | cloud service

I did some debugging. WinSCP agrees on DH key exchange with the ftp.box.com. But the ftp.box.com offers 768 bits key only.

Since OpenSSL 1.0.1r/1.0.2f, the OpenSSL requires 1024 bit key unconditionally:
https://github.com/openssl/openssl/commit/a4530ce0398d673b25a15b72a18dee1d8b14c07d

Please advice the box.com to upgrade their key.

The next version will include "dh key too small" message in the error.
cooch17

results from FileZilla

Since FileZilla has been reported by Box.com to work fine (whereas WinSCP 5.7.7 doesn't work at all), I downloaded latest build of FileZilla, and pointed it at ftp.box.com. Worked fine - no problems whatsoever.

Here are some specifics...which seems identical to what I think WinSCP is using, but, WinSCP doesn't work.

host: ftp.box.com:21
Protocol: TLS1.0
Key exchange: RSA
Cipher: AES-128-CBC
MAC: SHA1
cooch17

Re: SSL/TLS problem | 5.7.7 | cloud service

martin wrote:

Thanks for your report. What cipher does WinSCP 5.7.6 use against the server?


Note sure, unless that information is in the log file (see below). If not, then could you tell me how I find out?


Please attach a full log file both from 5.7.6 and 5.7.7.


To generate log file, enable logging, log in to your server and do the operation and only the operation that causes the error. Submit the log with your post as an attachment. Note that passwords and passphrases not stored in the log. You may want to remove other data you consider sensitive though, such as host names, IP addresses, account names or file names (unless they are relevant to the problem). If you do not want to post the log publicly, you can mark the attachment as private.


Done -- using debug level 2. Attached, log for 5.7.6, followed (in same file) by log for 5.7.7.

Now, it does seem like the same issue as in https://winscp.net/forum/viewtopic.php?t=22954. The engineers at Box.com say that of the clients they've tried, only WinSCP isn't working (but, older version of WinSCP do work).
martin

Re: SSL/TLS problem | 5.7.7 | cloud service

Thanks for your report. What cipher does WinSCP 5.7.6 use against the server?

Please attach a full log file both from 5.7.6 and 5.7.7.

To generate log file, enable logging, log in to your server and do the operation and only the operation that causes the error. Submit the log with your post as an attachment. Note that passwords and passphrases not stored in the log. You may want to remove other data you consider sensitive though, such as host names, IP addresses, account names or file names (unless they are relevant to the problem). If you do not want to post the log publicly, you can mark the attachment as private.
cooch17

maybe related

Superficially, this seems related to https://winscp.net/forum/viewtopic.php?t=22954

However, the problem (as per OP in this thread) is not influenced by tweaking min/max TLS (over range 1.0 -> 1.2), or changing (enabling) SSL 3.0.
johnny_canuck

SSL/TLS problem | 5.7.7 | cloud service

I have been using WinSCP for years, without major problems, for all SSL-based transfers -- including those to my box.com cloud account. However, with the upgrade in WinSCP from 5.7.6 to 5.7.7, transfers to box.com aren't working (and, this has been confirmed by the support team at box.com, who have replicated the problem).

Basically, to connect to the box.com ftp servers, I use FTP as the protocol, with TLS/SSL Explicit encryption, pointing at port 21, ftp.box.com. Works perfectly under 5.7.6. However, if instead I install 5.7.7 (where the only significant change in WinSCP from .6 to .7 was TLS/SSL core upgraded to OpenSSL 1.0.1s, as I understand it), I get the following:

SSL3 alert write: fatal: handshake failure

TLS connect: error in error
Can't establish TLS connection
Disconnected from server
Connection failed.


If I revert back to an earlier version of WinSCP (using slightly older TLS), connects perfectly.


Here is a more detailed log:

2016-03-10 17:35:56.640 --------------------------------------------------------------------------

. 2016-03-10 17:35:56.640 Session upkeep
. 2016-03-10 17:35:56.702 Connecting to ftp.box.com ...
. 2016-03-10 17:35:56.733 Connected with ftp.box.com, negotiating TLS connection...
< 2016-03-10 17:35:56.807 220 Service ready for new user.
> 2016-03-10 17:35:56.807 AUTH SSL
< 2016-03-10 17:35:56.900 234 Command AUTH okay; starting SSL connection.
. 2016-03-10 17:35:58.211 SSL3 alert write: fatal: handshake failure
. 2016-03-10 17:35:58.211 TLS connect: error in error
. 2016-03-10 17:35:58.211 Can't establish TLS connection
. 2016-03-10 17:35:58.211 Disconnected from server
. 2016-03-10 17:35:58.211 Connection failed.
. 2016-03-10 17:35:58.226 Got reply 1004 to the command 1
* 2016-03-10 17:35:58.242 (EFatal) Connection failed.
* 2016-03-10 17:35:58.242 SSL3 alert write: fatal: handshake failure


This has been confirmed several times by box.com, who (as of yesterday) sent me the following:


"Apologies for the delay here. We were able to reproduce your issue with WinSCP, but are having trouble recreating the errors in other FTP clients (eg. Filezilla) with the same setup (Explicit, port 21).

With the new version of WinSCP, are you able to connect with a non-encrypted connection without error?"



So, they can replicate the problem, but only if using WinSCP.

At this point, seems as if this should be a direct conversation between the WinSCP dev team and the engineers for box.com. If you let me know who on the WinSCP side of things I should put in touch with box.com, I'll pass along the appropriate contact information, incident number, etc.