Low sftp security

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
mark_
500 Command not understood
Posts: 4
Joined: 2014-01-02 22:56

Low sftp security

#1 Post by mark_ » 2014-01-02 23:33

Hi, thanks for this great FTP client. I want to tell you about a problem I found:
I configured my sshd (OpenSSH) to enforce only the most secure protocols that are available for SSH (according to https://bettercrypto.org) and found out that filezilla is unable to connect via sftp anymore.
I looked up filezilla's debug output first and found nothing special (the connection was closed):
Trace: Using SSH protocol version 2
Trace: We claim version: SSH-2.0-PuTTY_Local:_Sep_22_2013_10:53:15
Trace: Doing Diffie-Hellman group exchange
Trace: CControlSocket::DoClose(64)
Trace: CSftpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Fehler: Herstellen der Verbindung zum Server fehlgeschlagen
Trace: CFileZillaEnginePrivate::ResetOperation(66)
But a look into the server's log revealed the problem:
fatal: no matching mac found: client hmac-sha1,hmac-sha1-96,hmac-md5 server hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 [preauth]
So this tells me that Filezilla uses sha1 and md5 which are basically broken since a couple of years from a cryptographer's point of view (see e.g. https://www.schneier.com/blog/archives/ ... roken.html), while the server enforces stronger algorithms now.
Could you add support for more decent crypto protocols or is there currently a limitation in GnuTLS or the SFTP RFCs? (*edit: I guess it's the PuTTY code, not GnuTLS)
I also have a feature request: Please warn the user if broken crypto algorithms have been chosen for the current connection.

My Linux distribution currently ships the following filezilla version and I also had the problem on Windows (but I cannot tell you which filezilla version that was right now because it wasn't my computer):
FileZilla Client
----------------

Version: 3.7.3

Build information:
Compiled for: x86_64-pc-linux-gnu
Compiled on: x86_64-pc-linux-gnu
Build date: 2013-09-22
Compiled with: x86_64-pc-linux-gnu-gcc (Gentoo Hardened 4.7.3 p1.0, pie-0.5.5) 4.7.3
Compiler flags: -O2 -march=x86-64 -pipe -Wall -fexceptions -std=gnu++11

Linked against:
wxWidgets: 2.8.12
GnuTLS: 2.12.23
SQLite: 3.8.2

Operating system:
Name: Linux 3.12.0-sabayon x86_64
Version: 3.12
If you need more information, please ask.

edit: I saw that Filezilla includes PuTTY code, so I guess the problem rather lies in the usage of this code instead of GnuTLS, because we're talking sftp here. I'll take a look at this later if nobody is faster :)

mark_
500 Command not understood
Posts: 4
Joined: 2014-01-02 22:56

Re: Low sftp security

#2 Post by mark_ » 2014-01-03 10:46

mark_ wrote:I'll take a look at this later if nobody is faster :)
hm yeah no: The code has basically no comments, no docs, no nothing, I'm not trying to find the issue, because 2 hours of fishing around are enough for me.

User avatar
botg
Site Admin
Posts: 31510
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Low sftp security

#3 Post by botg » 2014-01-03 22:19

Please try tomorrow's nightly.

mark_
500 Command not understood
Posts: 4
Joined: 2014-01-02 22:56

Re: Low sftp security

#4 Post by mark_ » 2014-01-05 10:51

it works, thanks.

Post Reply