FileZilla Server 0.9.44 and OpenSSL on Windows 2003

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
User avatar
botg
Site Admin
Posts: 32557
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: FileZilla Server 0.9.44 and OpenSSH on Windows 2003

#16 Post by botg » 2014-04-12 08:02

The problem is with the OpenSSL DLLs, building those for XP is very difficult and time consuming.

surr34l
500 Syntax error
Posts: 15
Joined: 2014-04-10 00:29
First name: surreal
Last name: surreal

Re: FileZilla Server 0.9.44 and OpenSSL on Windows 2003

#17 Post by surr34l » 2014-04-12 13:08

I would love the info to be able to do it. Unfortunately, I haven't done anything with compiling before, but could figure it out with a decent step-by-step or something in the general ballpark.

I looked on the site for instructions on how to compile server, but could only find info on compiling the client, which after downloading and extracting as instructed.. the first command generated errors. So is life.

Either way, I'd love to be able to do it myself, but if not the final binary would be greatly appreciated.

User avatar
boco
Contributor
Posts: 24877
Joined: 2006-05-01 03:28
Location: Germany

Re: FileZilla Server 0.9.44 and OpenSSL on Windows 2003

#18 Post by boco » 2014-04-12 13:16

So far, using 0.9.43 with the SSL files from 0.9.44 seems to work great.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

fmaxwell
500 Command not understood
Posts: 2
Joined: 2014-04-12 18:53
First name: Fred
Last name: Maxwell

Re: FileZilla Server 0.9.44 and OpenSSL on Windows 2003

#19 Post by fmaxwell » 2014-04-12 19:32

Of all the times to cease support for Windows 2003, just as the Heartbleed vulnerability is being patched? Seriously?

Windows Server 2003 is a product that Microsoft will continue to support into 2015. I cannot imagine why now, of all times, the FileZilla support under Server 2003 would go away, leaving countless thousands of servers vulnerable.

Please add my voice to those calling for at least one more version of FileZilla Server that supports Windows Server 2003.

User avatar
boco
Contributor
Posts: 24877
Joined: 2006-05-01 03:28
Location: Germany

Re: FileZilla Server 0.9.44 and OpenSSL on Windows 2003

#20 Post by boco » 2014-04-13 02:45

Just update the two DLLs. Problem solved.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

Franklin
500 Command not understood
Posts: 2
Joined: 2014-04-10 11:36
First name: Chester

Re: FileZilla Server 0.9.44 and OpenSSL on Windows 2003

#21 Post by Franklin » 2014-04-13 20:19

boco wrote:Just update the two DLLs. Problem solved.
Does updating the DLL's seem right to you Tim?

I tried testing for Heartbleed on a Filezilla server using:
the test site http://filippo.io/Heartbleed
Testing against the TCP Port 990

The report indicated that the test site running V 0.9.43 tested OK without any updates to the DLL's.
Since then I have updated these two DDL's with the V 0.9.44 DDL's and it tested OK also.

What I was looking for was a test that said, it is NOT OK, then update the DLL's and see it pass the test.

User avatar
botg
Site Admin
Posts: 32557
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: FileZilla Server 0.9.44 and OpenSSL on Windows 2003

#22 Post by botg » 2014-04-14 06:16

That's very peculiar. Heartbeat is enabled in the version of OpenSSL shipped with FileZilla Server 0.9.43 and it was built from the vulnerable source code.

User avatar
botg
Site Admin
Posts: 32557
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: FileZilla Server 0.9.44 and OpenSSL on Windows 2003

#23 Post by botg » 2014-04-14 06:27

The online tool seems broken. Using the command-line client it reports 0.9.43 as vulnerable.

Code: Select all

./Heartbleed -service=ftp 10.0.0.66:21
2014/04/14 08:30:38 ([]uint8) {
 00000000  02 00 49 68 65 61 72 74  62 6c 65 65 64 2e 66 69  |..Iheartbleed.fi|
 00000010  6c 69 70 70 6f 2e 69 6f  20 59 45 4c 4c 4f 57 20  |lippo.io YELLOW |
 00000020  53 55 42 4d 41 52 49 4e  45 20 31 30 2e 30 2e 30  |SUBMARINE 10.0.0|
 00000030  2e 36 36 3a 32 31 53 cc  b2 99 2f e5 40 82 ad 0e  |.66:21S.../.@...|
 00000040  a0 e5 0b e3 b7 d2 1b d4  69 83 85 a5 52 b6 65 a7  |........i...R.e.|
 00000050  9d 31 e2 45 43 b5 1b dc  87 68 53 8f              |.1.EC....hS.|
}

2014/04/14 08:30:38 10.0.0.59:21 - VULNERABLE

tmenke
504 Command not implemented
Posts: 6
Joined: 2014-04-15 13:43
First name: Tim
Last name: Menke

Re: FileZilla Server 0.9.44 and OpenSSL on Windows 2003

#24 Post by tmenke » 2014-04-15 13:47

did we get an answer on this?

Is using the OpenSSL dlls's from the current version and copying them to the folder of the older version a supported method for Server 2003 or will a new package be generated with 2003 support?

EDIT: n/m Didn't see the other thread on this topic

mikeloeven
503 Bad sequence of commands
Posts: 20
Joined: 2008-12-05 02:30
First name: mike
Last name: loeven

Re: FileZilla Server 0.9.44 and OpenSSL on Windows 2003

#25 Post by mikeloeven » 2014-04-30 23:36

To be honest i think even though ms pulled the plug on xp its still going to be around for a long time. its just that stable.

i think ending support for XP is a mistake because it is still so widely used especially in business

KKimber
504 Command not implemented
Posts: 7
Joined: 2008-07-14 08:02
First name: Kari
Last name: Kimber

Re: FileZilla Server 0.9.44 and OpenSSL on Windows 2003

#26 Post by KKimber » 2014-05-06 11:07

javierb wrote:Hi Support:

Today I've tried to install Filezilla Server 0.9.44 on this Windows Server 2003 and it says this OS is no longer supported and it will not work on this OS.

Will you please provide us with some workaround as the previous version is seriously crippled by the openSSH vulnerability?

Best Regards,
Javier
Some problem and services cant be deleted by installer. installer say success but service is not running and fail to start.

honzakuchar
500 Command not understood
Posts: 1
Joined: 2014-05-18 09:08
First name: Jan
Last name: Kuchař

Re: FileZilla Server 0.9.44 and OpenSSL on Windows 2003

#27 Post by honzakuchar » 2014-05-18 09:10

What is the last unaffected version of FileZilla Server. I'm going to downgrade.

User avatar
boco
Contributor
Posts: 24877
Joined: 2006-05-01 03:28
Location: Germany

Re: FileZilla Server 0.9.44 and OpenSSL on Windows 2003

#28 Post by boco » 2014-05-18 15:35

To my knowledge only 0.9.43 had 1.01 <g OpenSSL DLLs. Check out 0.9.42's DLLs - if they are of 0.x version it should be unaffected by Heartbleed.

BUT

0.9.43 fixed a different security issue, a nasty bug with Aliases. For this reason, only 0.9.44 or 0.9.43 with replaced DLLs from 0.9.44 should be used.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

GldRush98
504 Command not implemented
Posts: 9
Joined: 2008-02-06 22:53
First name: Nick
Last name: O

Re: FileZilla Server 0.9.44 and OpenSSL on Windows 2003

#29 Post by GldRush98 » 2014-06-04 02:10

Are you shitting me?
Server 2003 is still supported by Microsoft through July of 2015.
http://support.microsoft.com/lifecycle/ ... er+2003+R2
Dropping support prematurely is a bit questionable, and telling people to upgrade a still-supported commercial OS simply because you changed the build spec is straight up bush-league.
Bad form guys. Bad form indeed. :(

panos
500 Command not understood
Posts: 1
Joined: 2014-06-04 06:03

Re: FileZilla Server 0.9.44 and OpenSSL on Windows 2003

#30 Post by panos » 2014-06-04 06:08

Please make a special version of both the client and the server for Windows Server 2003/XP people. We are not asking you for constant support, but rather for addressing the special circumstances caused by the Heartbleed bug which is entirely irrelevant to how old these systems are.

Thanks.

Post Reply