FileZilla Client v 3.40.0 - A certificate in the chain was signed using an insecure algorithm

[hseritt]

Hi Guys,

I am using FileZilla client version 3.40.0 with an Alfresco server that has its own FTPS server running. I've verified this works fine with 3.28 but with 3.40 I now get this error message in the client logs:

Code: Select all

Status:	Initializing TLS...
Error:	A certificate in the chain was signed using an insecure algorithm
Error:	Received certificate chain could not be verified. Verification status is 2.
Error:	Could not connect to server

My guess is that in 3.40 the RSA algorithm we set up the FTPS server with is not considered secure. When we set this FTPS server up, we used the following to generate the certificate:

Code: Select all

$/home/alfresco/alfresco-5.2.2/java/bin keytool -genkey -alias tomcat -keypass changeit -keyalg RSA

If you read Oracle's docs (see https://docs.oracle.com/javase/7/docs/t ... ytool.html) on the keytool command you will see this:

Option Defaults
Below are the defaults for various option values.

[ snip ]

-keysize
2048 (when using -genkeypair and -keyalg is "RSA")

My question here is what stronger algorithm should we use so that we can make use of FileZilla 3.40.0 with our server? Our only workaround at this point is to stay at a lower version until we can figure that out.

[botg]

For all the certificates in the chain, what are currently the respective algorithms used? Look at both the public key and the hash algorithms for both.

Something reasonable for certificates these days is RSA with 2048 key size and SHA256 as hash algorithm.

Avoid like the plague MD5 and SHA1.

[hseritt]

Thanks, Tim. Appreciate the help. I'll look into building our cert with this and see how it goes.

-Harlin