Go Back   FlashFXP Forums > >

Project: FlashFXP Bug Reports Ticket Tools
ID: 1098 Category: FlashFXP Bug
Title: Since OpenSSL 1.0.2f, I'm getting SSL error:14082174 Status: Pending (Awaiting User Feedback)
Severity: Major Version: 5.2

Junior Member
adrien.lecharpentier+flashfxp
02-17-2016, 11:12 AM
Since OpenSSL 1.0.2f, I'm getting SSL error:14082174

When I updated the software to the latest version, I wasn't able to connect to one of my FTP. I was getting

Code:
[14:17:31] [L] Connected to *****
[14:17:31] [L] 220 Apache
[14:17:31] [L] AUTH TLS
[14:17:31] [L] 234 AUTH TLS successful
[14:17:32] [L] SSL error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small
[14:17:32] [L] Failed TLSv1 negotiation, disconnected
[14:17:32] [L] Connection failed (Connection closed by client)
The certificate on the server didn't change and I'm able to connect with 5.2 3910. Since you change the version in 5.2 3912. The server certificate is using the encryption DHE-RSA-AES128-SHA (128bits).

I find my workaround (downgrade) but I cannot upgrade until this is fixed.

Thanks
FlashFXP Developer
bigstar
02-17-2016, 03:19 PM
Re: Since OpenSSL 1.0.2f, I'm getting SSL error:14082174

This error/warning was introduced by the OpenSSL 1.0.2f update to prevent the Logjam vulnerability (CVE-2015-4000)

Taken from https://www.openssl.org/news/secadv/20160128.txt
Quote:
An update on DHE man-in-the-middle protection (Logjam)
================================================== ==================

A previously published vulnerability in the TLS protocol allows a
man-in-the-middle attacker to downgrade vulnerable TLS connections
using ephemeral Diffie-Hellman key exchange to 512-bit export-grade
cryptography. This vulnerability is known as Logjam
(CVE-2015-4000). OpenSSL added Logjam mitigation for TLS clients by
rejecting handshakes with DH parameters shorter than 768 bits in
releases 1.0.2b and 1.0.1n.

This limit has been increased to 1024 bits in this release, to offer
stronger cryptographic assurance for all TLS connections using
ephemeral Diffie-Hellman key exchange.

OpenSSL 1.0.2 users should upgrade to 1.0.2f
OpenSSL 1.0.1 users should upgrade to 1.0.1r
Basically the DH key on the remote server is too weak and the server needs to be re-configured to use a larger/stronger DH key.
Ticket Tools
Subscribe to this Ticket


Posting Rules
You may not post new tickets

Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT -5. The time now is 12:13 PM.

Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)