SSL/TLS problem | 5.7.7 | cloud service :: Support Forum

johnny_canuck Guest

SSL/TLS problem | 5.7.7 | cloud service

2016-04-20 13:13

I have been using WinSCP for years, without major problems, for all SSL-based transfers -- including those to my box.com cloud account. However, with the upgrade in WinSCP from 5.7.6 to 5.7.7, transfers to box.com aren't working (and, this has been confirmed by the support team at box.com, who have replicated the problem).

Basically, to connect to the box.com ftp servers, I use FTP as the protocol, with TLS/SSL Explicit encryption, pointing at port 21, ftp.box.com. Works perfectly under 5.7.6. However, if instead I install 5.7.7 (where the only significant change in WinSCP from .6 to .7 was TLS/SSL core upgraded to OpenSSL 1.0.1s, as I understand it), I get the following:

SSL3 alert write: fatal: handshake failure
TLS connect: error in error
Can't establish TLS connection
Disconnected from server
Connection failed.

If I revert back to an earlier version of WinSCP (using slightly older TLS), connects perfectly.

Here is a more detailed log:

2016-03-10 17:35:56.640 --------------------------------------------------------------------------
. 2016-03-10 17:35:56.640 Session upkeep
. 2016-03-10 17:35:56.702 Connecting to ftp.box.com ...
. 2016-03-10 17:35:56.733 Connected with ftp.box.com, negotiating TLS connection...
< 2016-03-10 17:35:56.807 220 Service ready for new user.
> 2016-03-10 17:35:56.807 AUTH SSL
< 2016-03-10 17:35:56.900 234 Command AUTH okay; starting SSL connection.
. 2016-03-10 17:35:58.211 SSL3 alert write: fatal: handshake failure
. 2016-03-10 17:35:58.211 TLS connect: error in error
. 2016-03-10 17:35:58.211 Can't establish TLS connection
. 2016-03-10 17:35:58.211 Disconnected from server
. 2016-03-10 17:35:58.211 Connection failed.
. 2016-03-10 17:35:58.226 Got reply 1004 to the command 1
* 2016-03-10 17:35:58.242 (EFatal) Connection failed.
* 2016-03-10 17:35:58.242 SSL3 alert write: fatal: handshake failure

This has been confirmed several times by box.com, who (as of yesterday) sent me the following:

"Apologies for the delay here. We were able to reproduce your issue with WinSCP, but are having trouble recreating the errors in other FTP clients (eg. Filezilla) with the same setup (Explicit, port 21).

With the new version of WinSCP, are you able to connect with a non-encrypted connection without error?"

So, they can replicate the problem, but only if using WinSCP.

At this point, seems as if this should be a direct conversation between the WinSCP dev team and the engineers for box.com. If you let me know who on the WinSCP side of things I should put in touch with box.com, I'll pass along the appropriate contact information, incident number, etc.

Reply with quote

cooch17
Joined:: 2008-11-30
Posts:: 11
Location:: NY

maybe related

2016-04-20 13:30

Superficially, this seems related to https://winscp.net/forum/viewtopic.php?t=22954

However, the problem (as per OP in this thread) is not influenced by tweaking min/max TLS (over range 1.0 -> 1.2), or changing (enabling) SSL 3.0.

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,466
Location:: Prague, Czechia

Re: SSL/TLS problem | 5.7.7 | cloud service

2016-04-22

Thanks for your report. What cipher does WinSCP 5.7.6 use against the server?

Please attach a full log file both from 5.7.6 and 5.7.7.

To generate log file, enable logging, log in to your server and do the operation and only the operation that causes the error. Submit the log with your post as an attachment. Note that passwords and passphrases not stored in the log. You may want to remove other data you consider sensitive though, such as host names, IP addresses, account names or file names (unless they are relevant to the problem). If you do not want to post the log publicly, you can mark the attachment as private.

Reply with quote

cooch17
Joined:: 2008-11-30
Posts:: 11
Location:: NY

Re: SSL/TLS problem | 5.7.7 | cloud service

2016-04-22 14:07

martin wrote:

Thanks for your report. What cipher does WinSCP 5.7.6 use against the server?

Note sure, unless that information is in the log file (see below). If not, then could you tell me how I find out?

Please attach a full log file both from 5.7.6 and 5.7.7.

To generate log file, enable logging, log in to your server and do the operation and only the operation that causes the error. Submit the log with your post as an attachment. Note that passwords and passphrases not stored in the log. You may want to remove other data you consider sensitive though, such as host names, IP addresses, account names or file names (unless they are relevant to the problem). If you do not want to post the log publicly, you can mark the attachment as private.

Done -- using debug level 2. Attached, log for 5.7.6, followed (in same file) by log for 5.7.7.

Now, it does seem like the same issue as in https://winscp.net/forum/viewtopic.php?t=22954. The engineers at Box.com say that of the clients they've tried, only WinSCP isn't working (but, older version of WinSCP do work).

ftp-box.log (11.11 KB, Private file)

Description: Log files from 5.7.6 and 5.7.7.

Reply with quote

cooch17
Joined:: 2008-11-30
Posts:: 11
Location:: NY

results from FileZilla

2016-04-26 03:00

Since FileZilla has been reported by Box.com to work fine (whereas WinSCP 5.7.7 doesn't work at all), I downloaded latest build of FileZilla, and pointed it at ftp.box.com. Worked fine - no problems whatsoever.

Here are some specifics...which seems identical to what I think WinSCP is using, but, WinSCP doesn't work.

host: ftp.box.com:21
Protocol: TLS1.0
Key exchange: RSA
Cipher: AES-128-CBC
MAC: SHA1

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,466
Location:: Prague, Czechia

Re: SSL/TLS problem | 5.7.7 | cloud service

2016-04-26

I did some debugging. WinSCP agrees on DH key exchange with the ftp.box.com. But the ftp.box.com offers 768 bits key only.

Since OpenSSL 1.0.1r/1.0.2f, the OpenSSL requires 1024 bit key unconditionally:
https://github.com/openssl/openssl/commit/a4530ce0398d673b25a15b72a18dee1d8b14c07d

Please advice the box.com to upgrade their key.

The next version will include "dh key too small" message in the error.

Reply with quote

cooch17
Joined:: 2008-11-30
Posts:: 11
Location:: NY

Re: SSL/TLS problem | 5.7.7 | cloud service

2016-04-26 13:41

martin wrote:

I did some debugging. WinSCP agrees on DH key exchange with the ftp.box.com. But the ftp.box.com offers 768 bits key only.

Since OpenSSL 1.0.1r/1.0.2f, the OpenSSL requires 1024 bit key unconditionally:
https://github.com/openssl/openssl/commit/a4530ce0398d673b25a15b72a18dee1d8b14c07d

Please advice the box.com to upgrade their key.

The next version will include "dh key too small" message in the error.

Thank you very much -- I will pass that along to the engineers at box.com

Reply with quote

cooch17
Joined:: 2008-11-30
Posts:: 11
Location:: NY

alas, still not working

2016-04-27 02:05

Box updated to openSSL 1.0.1s (I believe), but I'm still getting the error. See attached session log (debug level 2).

At this point, it might make more sense for you to work directly with Box.com. If you PM me, I can put you in touch with the right people.

session.log (3.25 KB, Private file)

Reply with quote

martin◆ Site Admin

Re: alas, still not working

2016-04-28

It's misunderstanding. WinSCP uses OpenSSL. Upgrading OpenSSL on the server side does not help. They need to upgrade their FTP server DH key to 1024-bit at least to be able to talk to clients using the latest OpenSSL version.

My email address is in my forum profile.

Reply with quote

SoCal Guest

Same problem with RSA

2016-05-23 20:05

Hello,

I'm trying to use WinSCP v5.7.7 to connect to a partner and am experiencing the same problem described in this thread. I relayed the thread to my contact at the partner and was told "Our certs are RSA 2048 bit. We are not going to be able to reissue our SSL certificates." In initial testing I used an older version of WinSCP successfully with this partner (unfortunately I don't know which version it was). Upon upgrading to v5.7.7 I encountered the error.

Although it seems likely, I don't know enough about encryption to know if the fact that their certificates are RSA means they are not using a DH key. As such I am having trouble advising the partner on what they need to do to make their server work with WinSCP v5.7.7.

Can you advise on how I can figure out what cipher they are using and what their key length is? I would like to advise the partner on how to configure their installation so as to support WinSCP v5.7.7 but don't know what to tell them, other than having referred them to this thread.

I'm running WinSCP from a command line, with a script file.

Thanks in advance.

xxxxx@xxxxx.net.log (2.72 KB, Private file)

Description: A WinSCP log, modified to protect the identity of the partner.

Reply with quote

martin◆ Site Admin

Re: Same problem with RSA

2016-05-26

Please try 5.8.3 RC. It will provide more details in the error message.

Reply with quote

SoCal Guest

Re: Same problem with RSA

2016-05-27 00:09

martin wrote:

Please try 5.8.3 RC. It will provide more details in the error message.

Here's the 5.8.3 RC log; it does indeed appear to be the same problem ("dh key too small"). I can provide this log to the partner but I'm still not sure exactly what to tell him in terms of upgrading his server.

user@host.log (3.14 KB, Private file)

Description: The log file from v5.8.3 RC

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,466
Location:: Prague, Czechia

Re: Same problem with RSA

2016-05-30

Thanks for the details.

Please tell them that "They need to upgrade their FTP server DH key to 1024-bit at least to be able to talk to clients using the latest OpenSSL version."

https://github.com/openssl/openssl/commit/a4530ce0398d673b25a15b72a18dee1d8b14c07d

Reply with quote