Newest upgrade will not let me connect to my server

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
docmerrill
500 Command not understood
Posts: 1
Joined: 2016-04-25 01:15
First name: Martha
Last name: Merrill

Newest upgrade will not let me connect to my server

#1 Post by docmerrill » 2016-04-25 01:32

I just upgraded to the latest filezilla version and now I cannot connect to the server.
Here is the error message I've gotten over and over and over....

Error: The first key-exchange algorithm supported by the server is diffie-hellman-group1-sha1, which is no longer secure. Aborting connection.
Error: Could not connect to server

I have only used SFTP in the past, but now I cannot connect using FTP of any kind! Please help. I have
assignments due that I need to upload. :(

User avatar
botg
Site Admin
Posts: 32700
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Newest upgrade will not let me connect to my server

#2 Post by botg » 2016-04-25 06:45

diffie-hellman-group1-sha1 is an insecure key exchange algorithm that only uses a single, fixed Diffie-Hellman group. With some precomputation, an attacker can break the key exchange in near realtime. While this precomputation is expensive, it is entirely possible for government agencies and large companies to undertake this precomputation.

See https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf for details.

Please contact your server administrator or server hosting provider for assistance so that the server can be upgraded to support a more modern and secure key exchange algorithm.

jaminbern
500 Command not understood
Posts: 1
Joined: 2016-04-25 10:13
First name: Ben
Last name: Morris

Re: Newest upgrade will not let me connect to my server

#3 Post by jaminbern » 2016-04-25 10:15

Hi Tim

That's great and everything - but what if I want to carry on being able to connect whilst my server team sort out their issue (the majority of people using FileZilla are not in control of the server end...)

Can we not have an option that 'nags' us but lets us continue to use servers?

Thanks

Jaminbern

User avatar
botg
Site Admin
Posts: 32700
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Newest upgrade will not let me connect to my server

#4 Post by botg » 2016-04-25 11:46

Unfortunately it's rather involved to add these kind of messages and quite frankly, 100% of users would click them away without ever upgrading the server.

User avatar
botg
Site Admin
Posts: 32700
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Newest upgrade will not let me connect to my server

#5 Post by botg » 2016-04-25 11:53

Note that according to RFC 4253 (specified in January 2006), all compliant implementations of SSH also support the diffie-hellman-group14-sha1 cipher. Also, in March 2006, support for the diffie-hellman-group-exchange-sha1 and diffie-hellman-group-exchange-sha256 key exchange algorithms got specified in RFC 4419.

That's over 10 years grace period.

User avatar
botg
Site Admin
Posts: 32700
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Newest upgrade will not let me connect to my server

#6 Post by botg » 2016-04-25 12:08

The Weak Diffie-Hellman vulnerabilities got published almost one year ago and made a big splash in the media. I'm quite surprised that not all server administrators have fixed their servers yet.

User avatar
botg
Site Admin
Posts: 32700
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Newest upgrade will not let me connect to my server

#7 Post by botg » 2016-04-25 12:27

Last but not least, work is underway to officially deprecate the old kex, see https://tools.ietf.org/html/draft-ietf- ... ex-sha2-03

To my knowledge, support for diffie-hellman-group1-sha1 even fails PCI DSS compliance.

stevefromdodge
504 Command not implemented
Posts: 11
Joined: 2010-10-05 23:23
First name: Steve
Last name: Hart

Re: Newest upgrade will not let me connect to my server

#8 Post by stevefromdodge » 2016-04-25 15:29

Realizing that this is a server configuration problem, is there anyway for a client to get past the message to connect to a server at another company?

User avatar
botg
Site Admin
Posts: 32700
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Newest upgrade will not let me connect to my server

#9 Post by botg » 2016-04-25 16:01

SFTP support in FileZilla is based upon PuTTY's psftp. You could download PuTTY and change the KEX priorities of the default settings profile if you don't mind forgoing any security.

leed
500 Command not understood
Posts: 2
Joined: 2016-05-02 09:48

Re: Newest upgrade will not let me connect to my server

#10 Post by leed » 2016-05-02 10:03

As much as I respect your work and like using FileZilla, this is rather dissappointing. It is also the second time, that an upgrade of the FileZilla Client has cost me several hours of work for absolutely no gain on the user side at all.

First Time:
As an Upgrade simply changed all the settings in the Site Manager to remove all stored passwords. Yes I agree that it is a better idea to not have them stored, as FileZilla does not encrypt them and they can easily be read with a text editor. But silently removing them with an update ist not a good solution to stop people doing that. On the contrary, it will just give a user a bad day, once he realizes that he must dig out every single password that he used in the last years

Second Time:
This issue. Yes I agree, that Server Admins should upgrade their systems. But totally blocking the users cannot be the solution. People working on paid contracts cannot connect due to this upgrade and lose money while trying to solve the issue on client side. The Server Admins on customer side will however not upgrade until their bosses give them permission and all other parties agree on a server downtime.
The Upgrade should have simply had an annoying message on connection or a setting somewhere deep in the configs that allows you to set exceptions for important connections. The ability to connect should still remain the most important thing for such a client.


...because of this issue, as a User my only option to work with FileZilla is a downgrade to Version 3.16. Otherwise I cannot do my daily work.

Alongside with the knowledge, that an upgrade will not let me connect to various servers I am forced to use, I also need to neglect any further update requests from FileZilla.

So in the end this upgrade simply forces me to use FileZilla in a more unsecure way and miss out on new feature, it does not in any way solve the problem that some server admins are still using this old protocol.

I'm sorry to write here in this manner, but the decision you made in this upgrad was definitely the wrong way to do things.

User avatar
botg
Site Admin
Posts: 32700
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Newest upgrade will not let me connect to my server

#11 Post by botg » 2016-05-02 11:38

No update has ever removed passwords. There is only one case in which passwords could have gotten lost, and that is through downgrading.


If the server runs a Unix(-like) operating system, the server can be upgraded without any downtime. If it's a Windows based server, it can be upgraded during the monthly Windows Update reboot.

leed
500 Command not understood
Posts: 2
Joined: 2016-05-02 09:48

Re: Newest upgrade will not let me connect to my server

#12 Post by leed » 2016-05-02 11:58

There sure was an Upgrade about 2 or 3 years ago that automatically changed the settings in the servermanager from "normal" to "Ask for password". If you clicked on the connect button without changing the setting back, it removed the password from the password manager file.

As I work on web projects for different customers, I don't have any access to their servers. If a customer choses to use a shared hosting or an environment using some complex software stacks such as plesk, c-panel or jelastic, often even the customers themselves aren't able to upgrade the server. If the installed system covers several projects or customers it is also very time-intensive to convince the hoster to upgrade the system, as they must ensure that everything still works for every customer after the upgrade.

again I'm really not trying to disrespect your work, but a decision like not enabling connections due to some old encryption protocol just doesn't solve the problem. It forces people to downgrade their client or choose an alternative program. Surely this is not your intention and also puts a bad light on the hard work you invest in this software.

barrychai
500 Command not understood
Posts: 2
Joined: 2016-05-03 01:45
First name: barry
Last name: chai

Re: Newest upgrade will not let me connect to my server

#13 Post by barrychai » 2016-05-03 01:54

The server admin doesn't want to fix it. What can we do?

barrychai
500 Command not understood
Posts: 2
Joined: 2016-05-03 01:45
First name: barry
Last name: chai

Re: Newest upgrade will not let me connect to my server

#14 Post by barrychai » 2016-05-03 02:42

downgrade to 3.16.0 would fix our issue.

User avatar
boco
Contributor
Posts: 24960
Joined: 2006-05-01 03:28
Location: Germany

Re: Newest upgrade will not let me connect to my server

#15 Post by boco » 2016-05-03 04:18

Downgrading does fix Jack Schitt.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Post Reply