I configured my sshd (OpenSSH) to enforce only the most secure protocols that are available for SSH (according to https://bettercrypto.org) and found out that filezilla is unable to connect via sftp anymore.
I looked up filezilla's debug output first and found nothing special (the connection was closed):
But a look into the server's log revealed the problem:Trace: Using SSH protocol version 2
Trace: We claim version: SSH-2.0-PuTTY_Local:_Sep_22_2013_10:53:15
Trace: Doing Diffie-Hellman group exchange
Trace: CControlSocket::DoClose(64)
Trace: CSftpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Fehler: Herstellen der Verbindung zum Server fehlgeschlagen
Trace: CFileZillaEnginePrivate::ResetOperation(66)
So this tells me that Filezilla uses sha1 and md5 which are basically broken since a couple of years from a cryptographer's point of view (see e.g. https://www.schneier.com/blog/archives/ ... roken.html), while the server enforces stronger algorithms now.fatal: no matching mac found: client hmac-sha1,hmac-sha1-96,hmac-md5 server hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 [preauth]
Could you add support for more decent crypto protocols or is there currently a limitation in GnuTLS or the SFTP RFCs? (*edit: I guess it's the PuTTY code, not GnuTLS)
I also have a feature request: Please warn the user if broken crypto algorithms have been chosen for the current connection.
My Linux distribution currently ships the following filezilla version and I also had the problem on Windows (but I cannot tell you which filezilla version that was right now because it wasn't my computer):
If you need more information, please ask.FileZilla Client
----------------
Version: 3.7.3
Build information:
Compiled for: x86_64-pc-linux-gnu
Compiled on: x86_64-pc-linux-gnu
Build date: 2013-09-22
Compiled with: x86_64-pc-linux-gnu-gcc (Gentoo Hardened 4.7.3 p1.0, pie-0.5.5) 4.7.3
Compiler flags: -O2 -march=x86-64 -pipe -Wall -fexceptions -std=gnu++11
Linked against:
wxWidgets: 2.8.12
GnuTLS: 2.12.23
SQLite: 3.8.2
Operating system:
Name: Linux 3.12.0-sabayon x86_64
Version: 3.12
edit: I saw that Filezilla includes PuTTY code, so I guess the problem rather lies in the usage of this code instead of GnuTLS, because we're talking sftp here. I'll take a look at this later if nobody is faster