Opened 4 weeks ago

Closed 4 weeks ago

#11781 closed Bug report (fixed)

invalid GnuTLS ciphers string for GnuTLS >= 3.6

Reported by: Horse Luke Owned by:
Priority: normal Component: FileZilla Client
Keywords: Cc:
Component version: Operating system type:
Operating system version:

Description

Description:

As GnuTLS >= 3.6 drops OpenPGP certificates support, when Filezilla 3.37.4 is compiled with GnuTLS >= 3.6, connection with "FTP over TLS" will fail with "GnuTLS error -50 in gnutls_priority_set_direct: The request is invalid".

Connection error detail :

Status:	Resolving address of aaa.com
Status:	Connecting to 127.0.0.1:21...
Status:	Connection established, waiting for welcome message...
Status:	Initializing TLS...
Error:	GnuTLS error -50 in gnutls_priority_set_direct: The request is invalid.
Error:	Failed to initialize TLS.
Error:	Could not connect to server

Root cause:

After searching the code, it occured in file "/engine/tlssocket_impl.cpp"

char const ciphers[] = "SECURE256:+SECURE128:-ARCFOUR-128:-3DES-CBC:-MD5:+SIGN-ALL:-SIGN-RSA-MD5:+CTYPE-X509:-CTYPE-OPENPGP:-VERS-SSL3.0";

remove "-CTYPE-OPENPGP" will solve the problem.

char const ciphers[] = "SECURE256:+SECURE128:-ARCFOUR-128:-3DES-CBC:-MD5:+SIGN-ALL:-SIGN-RSA-MD5:+CTYPE-X509:-VERS-SSL3.0";

Test method:

Assue GnuTLS >= 3.6 is compiled in /opt/filezilla3, use gnutls-cli to test priority string:

[develop@test.com ~]$ PATH=/opt/filezilla3/bin:$PATH LD_LIBRARY_PATH=/opt/filezilla3/lib64:/opt/filezilla3/lib:$LD_LIBRARY_PATH /opt/filezilla3/bin/gnutls-cli  -l --priority="SECURE256:+SECURE128:-ARCFOUR-128:-3DES-CBC:-MD5:+SIGN-ALL:-SIGN-RSA-MD5:+CTYPE-X509:-CTYPE-OPENPGP:-VERS-SSL3.0"

The result contains error:

Cipher suites for SECURE256:+SECURE128:-ARCFOUR-128:-3DES-CBC:-MD5:+SIGN-ALL:-SIGN-RSA-MD5:+CTYPE-X509:-CTYPE-OPENPGP:-VERS-SSL3.0
Syntax error at: -CTYPE-OPENPGP:-VERS-SSL3.0

remove "-CTYPE-OPENPGP":

[develop@test.com ~]$ PATH=/opt/filezilla3/bin:$PATH LD_LIBRARY_PATH=/opt/filezilla3/lib64:/opt/filezilla3/lib:$LD_LIBRARY_PATH /opt/filezilla3/bin/gnutls-cli  -l --priority="SECURE256:+SECURE128:-ARCFOUR-128:-3DES-CBC:-MD5:+SIGN-ALL:-SIGN-RSA-MD5:+CTYPE-X509:-VERS-SSL3.0"

OK:

Cipher suites for SECURE256:+SECURE128:-ARCFOUR-128:-3DES-CBC:-MD5:+SIGN-ALL:-SIGN-RSA-MD5:+CTYPE-X509:-VERS-SSL3.0
TLS_AES_256_GCM_SHA384                            	0x13, 0x02	TLS1.3
TLS_CHACHA20_POLY1305_SHA256                      	0x13, 0x03	TLS1.3
TLS_AES_128_GCM_SHA256                            	0x13, 0x01	TLS1.3
TLS_AES_128_CCM_SHA256                            	0x13, 0x04	TLS1.3
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384                	0xc0, 0x2c	TLS1.2
TLS_ECDHE_ECDSA_CHACHA20_POLY1305                 	0xcc, 0xa9	TLS1.2
TLS_ECDHE_ECDSA_AES_256_CBC_SHA1                  	0xc0, 0x0a	TLS1.0
TLS_ECDHE_ECDSA_AES_256_CCM                       	0xc0, 0xad	TLS1.2
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256                	0xc0, 0x2b	TLS1.2
TLS_ECDHE_ECDSA_AES_128_CBC_SHA1                  	0xc0, 0x09	TLS1.0
TLS_ECDHE_ECDSA_AES_128_CCM                       	0xc0, 0xac	TLS1.2
TLS_ECDHE_RSA_AES_256_GCM_SHA384                  	0xc0, 0x30	TLS1.2
TLS_ECDHE_RSA_CHACHA20_POLY1305                   	0xcc, 0xa8	TLS1.2
TLS_ECDHE_RSA_AES_256_CBC_SHA1                    	0xc0, 0x14	TLS1.0
TLS_ECDHE_RSA_AES_128_GCM_SHA256                  	0xc0, 0x2f	TLS1.2
TLS_ECDHE_RSA_AES_128_CBC_SHA1                    	0xc0, 0x13	TLS1.0
TLS_RSA_AES_256_GCM_SHA384                        	0x00, 0x9d	TLS1.2
TLS_RSA_AES_256_CBC_SHA1                          	0x00, 0x35	TLS1.0
TLS_RSA_AES_256_CCM                               	0xc0, 0x9d	TLS1.2
TLS_RSA_AES_128_GCM_SHA256                        	0x00, 0x9c	TLS1.2
TLS_RSA_AES_128_CBC_SHA1                          	0x00, 0x2f	TLS1.0
TLS_RSA_AES_128_CCM                               	0xc0, 0x9c	TLS1.2
TLS_DHE_RSA_AES_256_GCM_SHA384                    	0x00, 0x9f	TLS1.2
TLS_DHE_RSA_CHACHA20_POLY1305                     	0xcc, 0xaa	TLS1.2
TLS_DHE_RSA_AES_256_CBC_SHA1                      	0x00, 0x39	TLS1.0
TLS_DHE_RSA_AES_256_CCM                           	0xc0, 0x9f	TLS1.2
TLS_DHE_RSA_AES_128_GCM_SHA256                    	0x00, 0x9e	TLS1.2
TLS_DHE_RSA_AES_128_CBC_SHA1                      	0x00, 0x33	TLS1.0
TLS_DHE_RSA_AES_128_CCM                           	0xc0, 0x9e	TLS1.2

Protocols: VERS-TLS1.3, VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-DTLS1.2, VERS-DTLS1.0
Ciphers: AES-256-GCM, CHACHA20-POLY1305, AES-256-CBC, AES-256-CCM, AES-128-GCM, AES-128-CBC, AES-128-CCM
MACs: AEAD, SHA1
Key Exchange Algorithms: ECDHE-ECDSA, ECDHE-RSA, RSA, DHE-RSA
Groups: GROUP-SECP384R1, GROUP-SECP521R1, GROUP-FFDHE8192, GROUP-SECP256R1, GROUP-X25519, GROUP-FFDHE2048, GROUP-FFDHE3072, GROUP-FFDHE4096, GROUP-FFDHE6144
PK-signatures: SIGN-RSA-SHA384, SIGN-RSA-PSS-SHA384, SIGN-RSA-PSS-RSAE-SHA384, SIGN-ECDSA-SHA384, SIGN-ECDSA-SECP384R1-SHA384, SIGN-RSA-SHA512, SIGN-RSA-PSS-SHA512, SIGN-RSA-PSS-RSAE-SHA512, SIGN-ECDSA-SHA512, SIGN-ECDSA-SECP521R1-SHA512, SIGN-RSA-SHA256, SIGN-RSA-PSS-SHA256, SIGN-RSA-PSS-RSAE-SHA256, SIGN-ECDSA-SHA256, SIGN-ECDSA-SECP256R1-SHA256, SIGN-EdDSA-Ed25519, SIGN-RSA-SHA1, SIGN-ECDSA-SHA1

Link:

https://www.gnutls.org/manual/html_node/OpenPGP-certificates.html

Change History (1)

comment:1 Changed 4 weeks ago by Tim Kosse

Resolution: fixed
Status: newclosed

Fixed in the repository.

Note: See TracTickets for help on using tickets.