FlashFXP Forums - View Single Post

Yil · 05-03-2010, 02:06 PM

Good news, I can confirm that 2 other people who had issues with ioFTPD running under win2k3 are now doing fine. The switch to OpenSSL seems to have made things FAR more stable than before for them as they are crashfree now. Pion's use of nxMyDB however is still unstable...

I did some more research into OpenSSL and found some useful info. I see how to order/limit which ciphers we want to use, so I think I'll see if I can't let users in the .ini file order them if people want that. More importantly though I can apply the key bit length min/max fields from before to weed out unwanted crappy ciphers automatically which is something far more likely for people to actually use.

I also see that I am using default/pure OpenSSL, and that there are a handful of "bugs" in other SSL libraries that it can be told to work around. I might try enabling all those workarounds to see if that increases interoperability.

We are also using the latest v1.0 release of OpenSSL which was released in March 2010. I found this tidbit in their list of changes:

Code:

  *) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello:
     this allows the use of compression and extensions. Change default cipher
     string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2
     by default unless an application cipher string requests it.

Thus as of the 1.0 release SSLv2 is almost dead and the type of client hello is different than before. This may be a cause for slightly different behavior with some sites when FXPing.

05-03-2010, 02:06 PM
Yil Too much time... Join Date: May 2005 Posts: 1,194	Good news, I can confirm that 2 other people who had issues with ioFTPD running under win2k3 are now doing fine. The switch to OpenSSL seems to have made things FAR more stable than before for them as they are crashfree now. Pion's use of nxMyDB however is still unstable... I did some more research into OpenSSL and found some useful info. I see how to order/limit which ciphers we want to use, so I think I'll see if I can't let users in the .ini file order them if people want that. More importantly though I can apply the key bit length min/max fields from before to weed out unwanted crappy ciphers automatically which is something far more likely for people to actually use. I also see that I am using default/pure OpenSSL, and that there are a handful of "bugs" in other SSL libraries that it can be told to work around. I might try enabling all those workarounds to see if that increases interoperability. We are also using the latest v1.0 release of OpenSSL which was released in March 2010. I found this tidbit in their list of changes: Code: *) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello: this allows the use of compression and extensions. Change default cipher string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2 by default unless an application cipher string requests it. Thus as of the 1.0 release SSLv2 is almost dead and the type of client hello is different than before. This may be a cause for slightly different behavior with some sites when FXPing.