Opened on Jul 12, 2013 at 12:21:06 PM
Closed on Jul 13, 2013 at 9:44:57 AM
Last modified on Nov 24, 2013 at 9:42:15 PM
#7344 closed defect (fixed)
Support ECHDE cipher suites
Reported by: | wwwpixime | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | 4.4 |
Component: | webdav | Version: | 4.3.1 |
Severity: | normal | Keywords: | |
Cc: | Architecture: | ||
Platform: |
Description (last modified by wwwpixime)
Here's my Apache/2.4.4 (FreeBSD) OpenSSL/1.0.1e configuration:
SSLProtocol -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA
here's the target WebDAV/S resource:
URL: https://teban.pixi.me Remote Path: /w/webdav/ Username: webdav Password: webdav
When I attempt to connect, I get the following error from Cyberduck 4.3.1
I/O Error: Connection failed, Received fatal alert: handshake_failure.
So my questions are as follows:
- is SSLv3 a requirement for Cyberduck to connect with an HTTPS endpoint?
- does it / will it support ECHDE ciphersuites alongside TLSv1-1.2 protocols?
Please advise, thank you!
Change History (6)
comment:1 Changed on Jul 12, 2013 at 12:25:33 PM by wwwpixime
- Description modified (diff)
comment:2 Changed on Jul 13, 2013 at 9:44:57 AM by dkocher
- Component changed from core to webdav
- Milestone set to 4.4
- Resolution set to fixed
- Status changed from new to closed
- Summary changed from WebDAV over HTTPS issue to Support ECHDE cipher suites
comment:3 follow-up: ↓ 4 Changed on Jul 13, 2013 at 1:51:02 PM by wwwpixime
hi David,
Thank you for adding support for ECHDE ciphers with the latest build. I was able to test it with Cyberduck-11917.tar - the only issue I have now is why my uploads still end up as 0-bytes even when the Cyberduck GUI verified with an "upload complete" notice?
on the backup, Apache logs the PUT request as 200 (success) with 663 bytes out, 390 bytes in but the actual filesize is 139KB
x.x.x.x teban.pixi.me [13/Jul/2013:09:37:25 -0400] webdav "PUT /w/webdav/sjjsk/telma-042313-filtered1.jpg HTTP/1.1" 200 663 390 "-" "Cyberduck/4.4 (Mac OS X/10.7.5) (x86_64)" x.x.x.x teban.pixi.me [13/Jul/2013:09:37:25 -0400] webdav "PROPFIND /w/webdav/sjjsk/ HTTP/1.1" 207 711 3184 "-" "Cyberduck/4.4 (Mac OS X/10.7.5) (x86_64)"
All other WebDAV/S clients I've tested except Cyberduck works, even curl works with
curl -u webdav:webdav -T /path/to/local/filename https://teban.pixi.me/w/webdav/
I will pay for a license from the Mac App Store if I can get this working somehow. Please advise, thank you!
comment:4 in reply to: ↑ 3 Changed on Jul 15, 2013 at 6:55:07 PM by dkocher
Replying to wwwpixime:
hi David,
Thank you for adding support for ECHDE ciphers with the latest build. I was able to test it with Cyberduck-11917.tar - the only issue I have now is why my uploads still end up as 0-bytes even when the Cyberduck GUI verified with an "upload complete" notice?
on the backup, Apache logs the PUT request as 200 (success) with 663 bytes out, 390 bytes in but the actual filesize is 139KB
x.x.x.x teban.pixi.me [13/Jul/2013:09:37:25 -0400] webdav "PUT /w/webdav/sjjsk/telma-042313-filtered1.jpg HTTP/1.1" 200 663 390 "-" "Cyberduck/4.4 (Mac OS X/10.7.5) (x86_64)" x.x.x.x teban.pixi.me [13/Jul/2013:09:37:25 -0400] webdav "PROPFIND /w/webdav/sjjsk/ HTTP/1.1" 207 711 3184 "-" "Cyberduck/4.4 (Mac OS X/10.7.5) (x86_64)"All other WebDAV/S clients I've tested except Cyberduck works, even curl works with
curl -u webdav:webdav -T /path/to/local/filename https://teban.pixi.me/w/webdav/I will pay for a license from the Mac App Store if I can get this working somehow. Please advise, thank you!
This is an entirely different issue caused by a regression in current unstable snapshot builds. Can you replicate this with build r11968 or later? Then please find any related output in the system.log (/Applications/Utilities/Console.app).
comment:5 follow-up: ↓ 6 Changed on Nov 24, 2013 at 6:47:05 PM by wwwpixime
just confirming ECDHE support is working for Mac OS X (latest built) - but the Windows build only supports RC4-SHA (latest build)
The negotiation works here with the latest snapshot build as these builds have an updated SSL stack.