FileZilla Forums

18:53:11 Status: Resolving address of natalya
18:53:11 Status: Connecting to 10.0.0.3:21...
18:53:11 Status: Connection established, waiting for welcome message...
18:53:11 Trace: CFtpControlSocket::OnReceive()
18:53:11 Response: 220-zFTPServer (licensed) v6.0, build 2011-10-18 10:24 ready.
18:53:11 Response: 220-
18:53:11 Response: 220-Hello, 10.0.0.3!
18:53:11 Response: 220-Current date & time: 2012-01-10, 18:53
18:53:11 Response: 220-You are user 1 of 20 allowed.
18:53:11 Response: 220-Currently logged on users: 0
18:53:11 Response: 220-Uploaded/downloaded total: 466.03 GiB up / 1.22 TiB down
18:53:11 Response: 220-
18:53:11 Response: 220 Have fun!
18:53:11 Trace: CFtpControlSocket::SendNextCommand()
18:53:11 Command: AUTH TLS
18:53:11 Trace: CFtpControlSocket::OnReceive()
18:53:11 Response: 234 AUTH Command OK. Initializing SSL
18:53:11 Status: Initializing TLS...
18:53:11 Trace: CTlsSocket::Handshake()
18:53:11 Trace: CTlsSocket::ContinueHandshake()
18:53:11 Trace: CTlsSocket::OnSend()
18:53:11 Trace: CTlsSocket::OnRead()
18:53:11 Trace: CTlsSocket::ContinueHandshake()
18:53:11 Trace: CTlsSocket::OnRead()
18:53:11 Trace: CTlsSocket::ContinueHandshake()
18:53:12 Trace: CTlsSocket::OnRead()
18:53:12 Trace: CTlsSocket::ContinueHandshake()
18:53:12 Trace: CTlsSocket::Failure(-12, 10053)
18:53:12 Trace: GnuTLS alert 47: Illegal parameter
18:53:12 Error: GnuTLS error -12: A TLS fatal alert has been received.
18:53:12 Trace: CRealControlSocket::OnClose(10053)
18:53:12 Trace: CControlSocket::DoClose(64)
18:53:12 Trace: CFtpControlSocket::ResetOperation(66)
18:53:12 Trace: CControlSocket::ResetOperation(66)
18:53:12 Error: Could not connect to server
18:53:12 Trace: CFileZillaEnginePrivate::ResetOperation(66)

Edit: I found a list of ciphers for the server I'm using. Would it be possible none of them works anymore?

"RSA-RC4-MD5,RSA-3DES-SHA,RSA-AES256-SHA,DH-RSA-3DES-SHA,DHE-RSA-3DES-SHA,DH-ANON-RC4-MD5,RSA-RC4-MD5-EXPORT"

Just found a sloution for vsftpd, from this thread, I added ssl_ciphers=HIGH to the vsftd.conf and the latest FileZilla can now connect to the FTP server again.

I've removed 3DES from the allowed ciphers, along with the MD5 hash algorithm.



All of them are insecure in my opinion. Of the above, only RSA-AES256-SHA has acceptable key strength but still isn't secure as it doesn't offer forward secrecy which is commonly established by performing a Diffie-Hellman key exchange.

You should update to a more modern server.

While I disagree that DES-CBC3-SHA is a "weak" cipher I agree with botg's end decision to remove support for it.

This is mostly for performance reasons 3DES is one of the slowest ciphers around and does nothing but waste cpu cycles compared to superior alternatives.

My preference is always to use RC4-SHA or when possible ECDHE-RSA-RC4-SHA however not much supports ECDHE at the moment and vsftpd doesn't even support regular DHE to begin with much less ECDHE.

Using RC4-SHA in my opinion is the best choice as you get way better performance than any other cipher and it's not CBC based like everything else all while providing plenty enough protection and in some cases even more than alternatives due to it not being vulnerable to CBC based attacks.

This is a silly reason to agree with removing support for the cipher from the client. As long as you have the choice to choose your ciphers, why should you care what ciphers other users of the client prefer? Why do you agree with forcing users to either never upgrade or switch clients if they don't have control over the FTP servers that they are connecting to? What possible benefit does this provide to you personally?

As has been stated several times, this move seems to serve no purpose other than to frustrate users to no end when they cant connect to servers they had been able to connect to forever with this client.

If you want to change behavior, change the default. Don't remove all of the features that you don't like but which others find useful. The code already existed to support this. It would seem to be very easy to implement a checkbox to allow for its continued support while removing it from the program's default installation.

But I guess it's a free program so you can choose to do whatever you like. The irony of that donate button sitting in the top right of the screen is, however, most striking now; and I will be sure to never be fooled into clicking on it again after seeing the way all of the users are ignored in this way. "Yes, please donate to use so we can continue to code our own pet projects without regard for you, the one donating."

I don't see how saving cpu cycles is silly. People who say this don't seem to understand just how much is wasted by using a cipher like 3DES.

If anything needs to be done it's vsftpd's dev needing to change their default cipher to something more efficient such as AES/RC4 or perhaps even multiple ciphers this time.

As for anyone else you have no one but your server admin to blame if they aren't able to take 5-10 seconds out of their day to change the default cipher on their ftp servers.

If an admin can't even do that maybe it's time to find a new host or admin?