FTPS SSL strength insufficient

0 votes
asked Jun 13 by Bry (120 points)

Hi. I’m using rebex ftp and having an issue with ssl. The initial handshake negotiates TLS 1.2 ecdhe_rsa AES 128 gem. However when login called the ftp server rejects. Exception caught is SSL Strength Insufficient. SSL certificate is valid and accepted. Only way I can find to stop this issue is to explicitly set the TLS cipher suite to DHE_RSA_WITH_AES_256_GCM_SHA384. Can you shed any light why the negotiation selects a cipher that is then rejected. Thanks

Applies to: Rebex FTP/SSL

1 Answer

0 votes
answered Jun 15 by Lukas Pokorny (109,670 points)

In TLS/SSL protocol, the client announces a list of supported ciphers to the server, and the server is supposed to pick one that it considers acceptable.

These are two likely explanations for the issue you encountered:

a) Rebex FTP client did not announce support for any cipher that the server would consider sufficient. Therefore, the server only accepted the connection to be able to inform the client about the problem. (This could easily occur with .NET Compact Framework edition of Rebex FTP, where DHE_ ciphers are disabled by default.)

b) Rebex FTP client did announce support for ciphers that the server would consider sufficient. However, instead of selecting one of them, the server negotiated another cipher. (In this case, you would have to ask the server vendor or administrator about why they negotiate a cipher they later reject instead of a more suitable one.)

If you would like to determine whether any of these possible explanation applies to your scenario, please create a communication log using Ftp object's LogWriter property and see which suites were actually announced (in 'Applicable cipher suites' log entry). If you prefer, post the log here or mail it to support@rebex.net for analysis.

(If the issue persists even when you assign TlsCipherSuite.Secure to Ftp.Settings.SslAllowedSuites, that would suggest explanation (b)).

...