Terrapin security vulernability

[JustinFTP]

Does FileZilla need to react to the Terrapin vulnerability in the SSH protocol, for client or server?
https://terrapin-attack.com/

[botg]

Yes, this eventually needs to be addressed. Note that the client prefers ciphers that are not affected by this protocol vulnerability.

[oxide]

> Note that the client prefers ciphers that are not affected by this protocol vulnerability.

What ciphers might those preferred ones be?

I removed some of the affected ciphers from my sshd servers, and now FileZilla refuses to connect.

From the message log...
Status: Connecting to [redacted]...
Response: fzSftp started, protocol_version=11
Command: open [redacted]
Error: The first client-to-server cipher supported by the server is aes256-gcm@openssh.com, which is no longer secure. Aborting connection.
Error: Could not connect to server

version 3.66.4 running on Windows 10, 64-bit

I've spend a day trying to find ciphers that Filezilla prefers, but came up empty.

I notice in the Debug menu item, there is a list of TLS ciphers that are preferred.

Is there a similar list for ssh connections?

thx.

[botg]

The SFTP implementation in FileZilla is based on PuTTY and shares some of its settings. Check your PuTTY configuration, maybe you have moved AES-GCM to the list of insecure ciphers at some point?

[oxide]

That was it!

putty recently updated its ciphers because of the ssh issue.

The second one -- AES (SSH-2 only) -- was the cipher I had to move above the "warn below here" line.

Clipboard01.jpg (48.08 KiB) Viewed 4282 times

Now that I know how to select the ciphers in Filezilla, I can get my ssh stuff squared away.

Many thanks for the quick answer.