Page 1 of 3

Newest upgrade will not let me connect to my server

Posted: 2016-04-25 01:32
by docmerrill
I just upgraded to the latest filezilla version and now I cannot connect to the server.
Here is the error message I've gotten over and over and over....

Error: The first key-exchange algorithm supported by the server is diffie-hellman-group1-sha1, which is no longer secure. Aborting connection.
Error: Could not connect to server

I have only used SFTP in the past, but now I cannot connect using FTP of any kind! Please help. I have
assignments due that I need to upload. :(

Re: Newest upgrade will not let me connect to my server

Posted: 2016-04-25 06:45
by botg
diffie-hellman-group1-sha1 is an insecure key exchange algorithm that only uses a single, fixed Diffie-Hellman group. With some precomputation, an attacker can break the key exchange in near realtime. While this precomputation is expensive, it is entirely possible for government agencies and large companies to undertake this precomputation.

See https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf for details.

Please contact your server administrator or server hosting provider for assistance so that the server can be upgraded to support a more modern and secure key exchange algorithm.

Re: Newest upgrade will not let me connect to my server

Posted: 2016-04-25 10:15
by jaminbern
Hi Tim

That's great and everything - but what if I want to carry on being able to connect whilst my server team sort out their issue (the majority of people using FileZilla are not in control of the server end...)

Can we not have an option that 'nags' us but lets us continue to use servers?

Thanks

Jaminbern

Re: Newest upgrade will not let me connect to my server

Posted: 2016-04-25 11:46
by botg
Unfortunately it's rather involved to add these kind of messages and quite frankly, 100% of users would click them away without ever upgrading the server.

Re: Newest upgrade will not let me connect to my server

Posted: 2016-04-25 11:53
by botg
Note that according to RFC 4253 (specified in January 2006), all compliant implementations of SSH also support the diffie-hellman-group14-sha1 cipher. Also, in March 2006, support for the diffie-hellman-group-exchange-sha1 and diffie-hellman-group-exchange-sha256 key exchange algorithms got specified in RFC 4419.

That's over 10 years grace period.

Re: Newest upgrade will not let me connect to my server

Posted: 2016-04-25 12:08
by botg
The Weak Diffie-Hellman vulnerabilities got published almost one year ago and made a big splash in the media. I'm quite surprised that not all server administrators have fixed their servers yet.

Re: Newest upgrade will not let me connect to my server

Posted: 2016-04-25 12:27
by botg
Last but not least, work is underway to officially deprecate the old kex, see https://tools.ietf.org/html/draft-ietf- ... ex-sha2-03

To my knowledge, support for diffie-hellman-group1-sha1 even fails PCI DSS compliance.

Re: Newest upgrade will not let me connect to my server

Posted: 2016-04-25 15:29
by stevefromdodge
Realizing that this is a server configuration problem, is there anyway for a client to get past the message to connect to a server at another company?

Re: Newest upgrade will not let me connect to my server

Posted: 2016-04-25 16:01
by botg
SFTP support in FileZilla is based upon PuTTY's psftp. You could download PuTTY and change the KEX priorities of the default settings profile if you don't mind forgoing any security.

Re: Newest upgrade will not let me connect to my server

Posted: 2016-05-02 10:03
by leed
As much as I respect your work and like using FileZilla, this is rather dissappointing. It is also the second time, that an upgrade of the FileZilla Client has cost me several hours of work for absolutely no gain on the user side at all.

First Time:
As an Upgrade simply changed all the settings in the Site Manager to remove all stored passwords. Yes I agree that it is a better idea to not have them stored, as FileZilla does not encrypt them and they can easily be read with a text editor. But silently removing them with an update ist not a good solution to stop people doing that. On the contrary, it will just give a user a bad day, once he realizes that he must dig out every single password that he used in the last years

Second Time:
This issue. Yes I agree, that Server Admins should upgrade their systems. But totally blocking the users cannot be the solution. People working on paid contracts cannot connect due to this upgrade and lose money while trying to solve the issue on client side. The Server Admins on customer side will however not upgrade until their bosses give them permission and all other parties agree on a server downtime.
The Upgrade should have simply had an annoying message on connection or a setting somewhere deep in the configs that allows you to set exceptions for important connections. The ability to connect should still remain the most important thing for such a client.


...because of this issue, as a User my only option to work with FileZilla is a downgrade to Version 3.16. Otherwise I cannot do my daily work.

Alongside with the knowledge, that an upgrade will not let me connect to various servers I am forced to use, I also need to neglect any further update requests from FileZilla.

So in the end this upgrade simply forces me to use FileZilla in a more unsecure way and miss out on new feature, it does not in any way solve the problem that some server admins are still using this old protocol.

I'm sorry to write here in this manner, but the decision you made in this upgrad was definitely the wrong way to do things.

Re: Newest upgrade will not let me connect to my server

Posted: 2016-05-02 11:38
by botg
No update has ever removed passwords. There is only one case in which passwords could have gotten lost, and that is through downgrading.


If the server runs a Unix(-like) operating system, the server can be upgraded without any downtime. If it's a Windows based server, it can be upgraded during the monthly Windows Update reboot.

Re: Newest upgrade will not let me connect to my server

Posted: 2016-05-02 11:58
by leed
There sure was an Upgrade about 2 or 3 years ago that automatically changed the settings in the servermanager from "normal" to "Ask for password". If you clicked on the connect button without changing the setting back, it removed the password from the password manager file.

As I work on web projects for different customers, I don't have any access to their servers. If a customer choses to use a shared hosting or an environment using some complex software stacks such as plesk, c-panel or jelastic, often even the customers themselves aren't able to upgrade the server. If the installed system covers several projects or customers it is also very time-intensive to convince the hoster to upgrade the system, as they must ensure that everything still works for every customer after the upgrade.

again I'm really not trying to disrespect your work, but a decision like not enabling connections due to some old encryption protocol just doesn't solve the problem. It forces people to downgrade their client or choose an alternative program. Surely this is not your intention and also puts a bad light on the hard work you invest in this software.

Re: Newest upgrade will not let me connect to my server

Posted: 2016-05-03 01:54
by barrychai
The server admin doesn't want to fix it. What can we do?

Re: Newest upgrade will not let me connect to my server

Posted: 2016-05-03 02:42
by barrychai
downgrade to 3.16.0 would fix our issue.

Re: Newest upgrade will not let me connect to my server

Posted: 2016-05-03 04:18
by boco
Downgrading does fix Jack Schitt.