[Cyberduck-trac] [Cyberduck] #8703: Handshake failure. Unable to negotiate an acceptable set of security parameters.

Cyberduck trac at trac.cyberduck.io
Sun Apr 19 11:36:31 UTC 2015

#8703: Handshake failure. Unable to negotiate an acceptable set of security
 Reporter:  c.sale         |         Owner:  dkocher
     Type:  defect         |        Status:  reopened
 Priority:  normal         |     Milestone:  4.7
Component:  ftp-tls        |       Version:  4.6.5
 Severity:  normal         |    Resolution:
 Keywords:                 |  Architecture:  Intel
 Platform:  Mac OS X 10.9  |
Changes (by ralf bergs):

 * status:  closed => reopened
 * resolution:  worksforme =>


 I have the same issue towards a server I control. And as I control it I
 know it supports TLS v1.2.

 As user `c.sale` pointed out I can also log on using FileZilla and TLS

 I think I have found out why Cyberduck can't connect to my server. It
 seems to only support "weak" hash algorithms in the cipher suites it
 offers. The below is from a Wireshark trace I just made:
             Cipher Suites (28 suites)
                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                 Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                 Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
                 Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                 Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                 Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                 Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
                 Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                 Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
                 Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
                 Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                 Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
                 Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
                 Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
                 Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                 Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
                 Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
                 Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                 Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                 Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                 Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

 I have my FTP server (PureFTPD) configured to use the following suites:
 `HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3`. This expands to the following:

 As you see there's no support for `SHA` (i. e. `SHA1`).

 The server therefore answers as follows:
 No.     Time                          Source                Destination
 Protocol Length Info
      11 2015-04-19 12:24:19.039517    46.4.x.y
 TLSv1.2  73     Alert (Level: Fatal, Description: Handshake Failure)

 Frame 11: 73 bytes on wire (584 bits), 73 bytes captured (584 bits) on
 interface 0
 Ethernet II, Src: Tp-LinkT_44:59:69 (64:70:02:44:59:69), Dst:
 Apple_eb:f1:21 (c8:bc:c8:eb:f1:21)
 Internet Protocol Version 4, Src: 46.4.x.y (46.4.x.y), Dst:
 Transmission Control Protocol, Src Port: 2100 (2100), Dst Port: 53716
 (53716), Seq: 341, Ack: 209, Len: 7
 Secure Sockets Layer
     TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake
         Content Type: Alert (21)
         Version: TLS 1.2 (0x0303)
         Length: 2
         Alert Message
             Level: Fatal (2)
             Description: Handshake Failure (40)

 I think this is clearly a Cyberduck issue.

 PS: For me it's OS X 10.10.3.

Ticket URL: <https://trac.cyberduck.io/ticket/8703#comment:5>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list