[Cyberduck-trac] [Cyberduck] #8703: Handshake failure. Unable to negotiate an acceptable set of security parameters.

Cyberduck trac at trac.cyberduck.io
Sun Apr 19 11:36:31 UTC 2015 

#8703: Handshake failure. Unable to negotiate an acceptable set of security
parameters.
---------------------------+-------------------------
 Reporter:  c.sale         |         Owner:  dkocher
     Type:  defect         |        Status:  reopened
 Priority:  normal         |     Milestone:  4.7
Component:  ftp-tls        |       Version:  4.6.5
 Severity:  normal         |    Resolution:
 Keywords:                 |  Architecture:  Intel
 Platform:  Mac OS X 10.9  |
---------------------------+-------------------------
Changes (by ralf bergs):

 * status:  closed => reopened
 * resolution:  worksforme =>


Comment:

 I have the same issue towards a server I control. And as I control it I
 know it supports TLS v1.2.

 As user `c.sale` pointed out I can also log on using FileZilla and TLS
 v1.2.

 I think I have found out why Cyberduck can't connect to my server. It
 seems to only support "weak" hash algorithms in the cipher suites it
 offers. The below is from a Wireshark trace I just made:
 {{{
             Cipher Suites (28 suites)
                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 (0xc00a)
                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                 Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                 Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
                 Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                 Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 (0xc009)
                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                 Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                 Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
                 Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                 Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
                 Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
                 Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                 Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
                 Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
 (0xc008)
                 Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
                 Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                 Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
 (0xc003)
                 Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
                 Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                 Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                 Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                 Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
 }}}

 I have my FTP server (PureFTPD) configured to use the following suites:
 `HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3`. This expands to the following:
 {{{
 ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-
 AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-
 AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ADH-AES256
 -GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256
 -GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-
 SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-
 SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128
 -GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-
 AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-
 SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-
 AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256
 }}}

 As you see there's no support for `SHA` (i. e. `SHA1`).

 The server therefore answers as follows:
 {{{
 No.     Time                          Source                Destination
 Protocol Length Info
      11 2015-04-19 12:24:19.039517    46.4.x.y          192.168.2.103
 TLSv1.2  73     Alert (Level: Fatal, Description: Handshake Failure)

 Frame 11: 73 bytes on wire (584 bits), 73 bytes captured (584 bits) on
 interface 0
 Ethernet II, Src: Tp-LinkT_44:59:69 (64:70:02:44:59:69), Dst:
 Apple_eb:f1:21 (c8:bc:c8:eb:f1:21)
 Internet Protocol Version 4, Src: 46.4.x.y (46.4.x.y), Dst: 192.168.2.103
 (192.168.2.103)
 Transmission Control Protocol, Src Port: 2100 (2100), Dst Port: 53716
 (53716), Seq: 341, Ack: 209, Len: 7
 Secure Sockets Layer
     TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake
 Failure)
         Content Type: Alert (21)
         Version: TLS 1.2 (0x0303)
         Length: 2
         Alert Message
             Level: Fatal (2)
             Description: Handshake Failure (40)
 }}}

 I think this is clearly a Cyberduck issue.

 PS: For me it's OS X 10.10.3.

-- 
Ticket URL: <https://trac.cyberduck.io/ticket/8703#comment:5>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list