Troubleshooting Cipher Issues
Many error messages in third party apps related to encryption, ciphers, etc. will go away by upgrading the version of the app. We always recommend upgrading to the latest and greatest because it often brings security and speed benefits.
This is especially true if it prevents you from needing to enable our insecure ciphers setting, which insecure.
CuteFTP "Error in negotiating SSL connection"
CuteFTP versions prior to 9.2.0 do not support the ciphers needed for Files.com to operate securely. Suggest upgrading CuteFTP 9.2.0 or later, which fully supports secure encryption.
CuteFTP versions below 9.2.0 can only be supported using insecure ciphers.
SFTP Connection Failed with "DHG1_KEX_FALLBACK" Cipher
The Diffie-Hellman key exchange method implements a fallback for situations where the client and server cannot agree on a cipher strength. Falling back to a weaker cipher is supposed to be agreed upon by both the server and the client. Some clients contain a bug, causing them to ignore the server when it prohibits a fallback, and instead try to connect using the weaker fallback cipher.
For example, the cipher diffie-hellman-group-exchange-sha256 aes128-ctr hmac-sha1 DHG1_KEX_FALLBACK
indicates that the server requested the use of a strong cipher (diffie-hellman-group-exchange-sha256 aes128-ctr hmac-sha1
) but the client instead attempted to connect with a weaker fallback cipher (note the DHG1_KEX_FALLBACK
part of the cipher string.)
To resolve this issue, and allow the fallback cipher, enable insecure ciphers for your site.
Failed SSH Key Exchange or Bad server public DH value error using Ipswitch WS_FTP or MoveIt
WS_FTP versions prior to 12.6 and MoveIt versions prior to 9.1.0.3.0 do not support the ciphers needed for Files.com to operate securely.
If they have already upgraded, and are still receiving key exchange errors, note that there is a known issue with upgrading previous versions of WS_FTP Professional to 12.6 where the ssh-algos.txt
file is not updated with the following ssh-kex: diffie-hellman-group-exchange-sha256
.
Users can manually add this to the ssh-algos.txt
file located at: C:\Users\<user>\AppData\Roaming\Ipswitch\WS_FTP
to resolve this.
Errors connecting to REST API with .NET (e.g. "An unexpected error occurred on a send")
Microsoft .NET versions below 4.5 don't work natively with secure ciphers.
For .NET 4.5., TLS 1.2 is supported, but it’s not a default protocol. You need to opt-in to use it. The following code will make TLS 1.2 default - make sure to execute it before making a connection to secured resource: ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
For .NET 4.0., TLS 1.2 is not supported. Upgrade your application to more recent version of the framework.
If you are unable to upgrade your .NET application, you will need to use the Insecure Ciphers capability of Files.com.
Get Instant Access to Files.com
The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.