FileZilla Client v 3.40.0 - A certificate in the chain was signed using an insecure algorithm

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
hseritt
500 Command not understood
Posts: 2
Joined: 2019-01-30 18:30
First name: Harlin
Last name: Seritt

FileZilla Client v 3.40.0 - A certificate in the chain was signed using an insecure algorithm

#1 Post by hseritt » 2019-01-30 18:36

Hi Guys,

I am using FileZilla client version 3.40.0 with an Alfresco server that has its own FTPS server running. I've verified this works fine with 3.28 but with 3.40 I now get this error message in the client logs:

Code: Select all

Status:	Initializing TLS...
Error:	A certificate in the chain was signed using an insecure algorithm
Error:	Received certificate chain could not be verified. Verification status is 2.
Error:	Could not connect to server
My guess is that in 3.40 the RSA algorithm we set up the FTPS server with is not considered secure. When we set this FTPS server up, we used the following to generate the certificate:

Code: Select all

$/home/alfresco/alfresco-5.2.2/java/bin keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
If you read Oracle's docs (see https://docs.oracle.com/javase/7/docs/t ... ytool.html) on the keytool command you will see this:
Option Defaults
Below are the defaults for various option values.

[ snip ]

-keysize
2048 (when using -genkeypair and -keyalg is "RSA")
My question here is what stronger algorithm should we use so that we can make use of FileZilla 3.40.0 with our server? Our only workaround at this point is to stay at a lower version until we can figure that out.

User avatar
botg
Site Admin
Posts: 32280
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: FileZilla Client v 3.40.0 - A certificate in the chain was signed using an insecure algorithm

#2 Post by botg » 2019-01-30 19:23

For all the certificates in the chain, what are currently the respective algorithms used? Look at both the public key and the hash algorithms for both.

Something reasonable for certificates these days is RSA with 2048 key size and SHA256 as hash algorithm.

Avoid like the plague MD5 and SHA1.

hseritt
500 Command not understood
Posts: 2
Joined: 2019-01-30 18:30
First name: Harlin
Last name: Seritt

Re: FileZilla Client v 3.40.0 - A certificate in the chain was signed using an insecure algorithm

#3 Post by hseritt » 2019-01-30 21:42

Thanks, Tim. Appreciate the help. I'll look into building our cert with this and see how it goes.

-Harlin

Post Reply