Page 3 of 3

Re: Newest upgrade will not let me connect to my server

Posted: 2017-04-13 09:55
by Everun
Just to give you an impression out of real life what has happened in our company.

We have to administrate several hundreds of small embedded devices. They are "in the field" and their purpose is collecting measurement values of multiple sensors and send the data via GSM. The devices have an older Linux kernel. It is just impossible to upgrade the required server and encryption software of all this devices.

So finally after some time of googling and finding this thread, why Filezilla won't connect to our devices anymore, in our distribution manuals the following paragraph was added in big bold red letters: For a connection to a device, we recommend the software XXXSCP. Don't use Filezilla! This software is not capable of connecting to the device.

Sorry for that, but that is the sad truth. Many others may have changed their documents in the same manner.

I liked Filezilla and used it very often So frequently I check this thread, if (hopefully) something was changed regarding this issue.

Re: Newest upgrade will not let me connect to my server

Posted: 2017-04-13 16:11
by botg
It is just impossible to upgrade the required server and encryption software of all this devices.
Technically impossible, or merely not considered in the long-term maintenance budget when the devices were first obtained?
So finally after some time of googling and finding this thread, why Filezilla won't connect to our devices anymore, in our distribution manuals the following paragraph was added in big bold red letters: For a connection to a device, we recommend the software XXXSCP. Don't use Filezilla! This software is not capable of connecting to the device.
Please update your document to include the whole truth. You need to also mention: "Our devices are critically outdated and do not support secure connections."
I liked Filezilla and used it very often So frequently I check this thread, if (hopefully) something was changed regarding this issue.
Sorry to disappoint you, but security will only be tightened, never relaxed.

Re: Newest upgrade will not let me connect to my server

Posted: 2017-06-20 08:42
by Stiglitz
I just stumbled upon this issue today, as one of our coworkers wanted to access an SFTP Server from another Company.

As much as this means "Work" for administrators all around the world, it is the right and the only way to go! As mentioned before, if it would be just a warning, this warning would be clicked away Foreverâ„¢

Right now it does not mean work for me, but even if it would, then I would have to do it. It is my JOB. To make sure to keep systems up too date as good as possible. I will miss certain things, I may not have the manpower or knowledge to do other "at this moment". But that is where the whole "if you don't force it, people will not do it" comes to play.

If I had an outdated SFTP Server, at this point I would have the possibility to tell my boss (No need to as he is on my side anyway but just as an example):
Look. This stuff is so outdated and insecure, well known software does not support it anymore. Please give me resources to fix it! Otherwise I will not be responsible for anything happening due to *this* (place ANY security related weak spot here).


So a big THANK YOU to the FileZilla Project for taking the punishment from some users, for the sake of the security of our beloved IT Infrastructure!

Re: Newest upgrade will not let me connect to my server

Posted: 2017-07-08 23:37
by Merfolk
Filezilla is a great product. I have been using it for years. Unfortunately the change to no longer allow SHA1 makes the product useless to me. Ironically, my job is updating old software that uses SHA1 to newer versions. Specifically to get firmware and software updates on to Netapp SAN units so they can be updated to newer versions that support better encryption.
Hopefully the Filezilla team will reconsider it's stance on allowing use of SHA1. Filezilla is a great client tool.

Re: Newest upgrade will not let me connect to my server

Posted: 2017-07-09 10:44
by botg
botg wrote:Note that according to RFC 4253 (specified in January 2006), all compliant implementations of SSH also support the diffie-hellman-group14-sha1 cipher. Also, in March 2006, support for the diffie-hellman-group-exchange-sha1 and diffie-hellman-group-exchange-sha256 key exchange algorithms got specified in RFC 4419.

That's over 10 years grace period.
Merfolk wrote:Ironically, my job is updating old software that uses SHA1 to newer versions.
Sigh...

Re: Newest upgrade will not let me connect to my server

Posted: 2017-07-21 15:56
by ziggy
Here's another real world scenario for you... the company I work for deals with a global giant in the ***** industry... they force us to use OpenText (a giant in the EDI arena) who still use diffie-hellman-group1-sha1 and couldn't give a flying f*ck what I ask of them. So basically because you seek to enforce your ideals on your users like some form of SSH police I must now seek out alternative FTP client pastures, after using FileZilla for over 10 years :( FireFTP here I come! :( Bad form old chap! Bad form! :(

The real world and the ideal world rarely meet and often clash!

Your program is now so 'secure' I won't be able to use it for the foreseeable future, as I suspect neither will many others! Good job! Keep improving that security!

... SIGH! ...

Re: Newest upgrade will not let me connect to my server

Posted: 2017-07-21 23:40
by boco
It's technical security standards being enforced, it has nothing to do with personal preferences. Why should FileZilla undermine that just because a company gives no fuck about the security of their clients?

Re: Newest upgrade will not let me connect to my server

Posted: 2017-07-22 06:35
by botg
Even more shocking if it's an industry giant. They above all should have the money and workforce to properly maintain their infrastructure.

Re: Newest upgrade will not let me connect to my server

Posted: 2017-07-24 07:56
by ziggy
boco wrote:It's technical security standards being enforced, it has nothing to do with personal preferences.
The technical standards mean that if you enforce them YOU WILL HAVE TO (NO CHOICE INVOLVED) not support diffie 1 ? hardly the case.
boco wrote:Why should FileZilla undermine that just because a company gives no fuck about the security of their clients?
Erm maybe because the end result is they are inadvertantly (coupled with server admin) f*cking over some of their users that have no choice in the matter?
botg wrote:Even more shocking if it's an industry giant. They above all should have the money and workforce to properly maintain their infrastructure.
Indeed, however that's all true, well and good... but the end result is that I (along with others who cannot affect the server) can no longer use your product. Regardless of who is responsible! :(

Re: Newest upgrade will not let me connect to my server

Posted: 2020-03-03 20:32
by edpol
I have 2 PC's running the same version of Windows 10 in 2 locations (different ISP)
Same Filezilla version, 3.47.1
I try to connect to the same site, one works the other fails.
"The first host key type supported by the server is ssh-dss, which is no longer secure. Aborting connection."

Is there some setting that allows me to connect to this sftp site?

Re: Newest upgrade will not let me connect to my server

Posted: 2020-03-05 09:17
by botg
Bad settings configured in PuTTY? Try deleting HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions