Page 1 of 1
Terrapin security vulernability
Posted: 2023-12-20 01:19
by JustinFTP
Does FileZilla need to react to the Terrapin vulnerability in the SSH protocol, for client or server?
https://terrapin-attack.com/
Re: Terrapin security vulernability
Posted: 2023-12-20 09:13
by botg
Yes, this eventually needs to be addressed. Note that the client prefers ciphers that are not affected by this protocol vulnerability.
Re: Terrapin security vulernability
Posted: 2023-12-30 22:54
by oxide
> Note that the client prefers ciphers that are not affected by this protocol vulnerability.
What ciphers might those preferred ones be?
I removed some of the affected ciphers from my sshd servers, and now FileZilla refuses to connect.
From the message log...
Status: Connecting to [redacted]...
Response: fzSftp started, protocol_version=11
Command: open [redacted]
Error: The first client-to-server cipher supported by the server is
aes256-gcm@openssh.com, which is no longer secure. Aborting connection.
Error: Could not connect to server
version 3.66.4 running on Windows 10, 64-bit
I've spend a day trying to find ciphers that Filezilla prefers, but came up empty.
I notice in the Debug menu item, there is a list of TLS ciphers that are preferred.
Is there a similar list for ssh connections?
thx.
Re: Terrapin security vulernability
Posted: 2024-01-02 09:01
by botg
The SFTP implementation in FileZilla is based on PuTTY and shares some of its settings. Check your PuTTY configuration, maybe you have moved AES-GCM to the list of insecure ciphers at some point?
Re: Terrapin security vulernability
Posted: 2024-01-03 16:39
by oxide
That was it!
putty recently updated its ciphers because of the ssh issue.
The second one -- AES (SSH-2 only) -- was the cipher I had to move above the "warn below here" line.
- Clipboard01.jpg (48.08 KiB) Viewed 4948 times
Now that I know how to select the ciphers in Filezilla, I can get my ssh stuff squared away.
Many thanks for the quick answer.