OpenSSL 1.0.2g can not open a secure FTP-connection.

[tm8544]

After update to OpenSSL 1.0.2g, Total Commander 8.52a can not open a secure FTP-connection.

TC shows message "SSL: Error loading function SSLv2_client_method"

Propably has something to do with disabling SSLv2 in 1.0.2g (see openssl.org announcement: SSLv2 is now by default disabled at build-time.)

[beb]

Confirmed. Looks like critical.

[ghisler(Author)]

Sorry, TC cannot load the dll because the function SSLv2_client_method isn't exported any more. I will try to support it in TC9. It's very bad practice by them to just remove functions instead of returning an error, it will break a lot of programs which link statically to the dll. TC links dynamically via LoadLibrary, but checks whether functions are missing and refuses to use the dll if any are missing.

[HAL 9000]

There are 0 valid reasons to check for functions that have been totally insecure for ages. SSL is now completely unusable in TC, this legacy POS ain't available in 1.0.1s either. So - not really sure what you mean by "I will try to support it in TC9"

[ghisler(Author)]

It means that I will try to support the new dll. The function SLv2_client_method is still used to check what method was chosen during the connection, so it's a very bad idea by them to simply remove it.

[karnin]

TC shows message "SSL: Error loading function SSLv2_client_method"

Confirmed, same problem...

Edit:
Last working OpenSSL-version 1.0.2f can be downloaded here:
https://www.dropbox.com/s/yze8j3mcv9py7ua/Win32OpenSSL_1_0_2f_TCmd852a.zip?dl=0
(32+64-bit version)

Regards

[PatrikNasfors]

Hi all,

I just bumped into this thread, because I got an error message saying OpenDLL library not found, when trying to activate SSL/TLS for an FTP connection, with OpenSSL DLL's from version 1.0.2g.

A short research, makes me ask the following:
Does Total Commander really use the SLv2_client_method, when initiating a secure connection?

According to the OpenSSL 1.0.2 manpages for SSLv2_client_method (sorry for being a new member, so I can't pase link yet, but you can probably find it yourself ), "A TLS/SSL connection established with these methods will only understand the SSLv2 protocol".

If that's true, newer and better versions of SSL and TLS are never used!

Instead, I think SSLv23_client_method should be used.

"These are the general-purpose version-flexible SSL/TLS methods. The actual protocol version used will be negotiated to the highest version mutually supported by the client and the server. The supported protocols are SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2. Most applications should use these method, and avoid the version specific methods described below."

I don't know anything about how Total Commander is build and using these DLL's, but wouldn't it be possible to "just" use this function instead, to solve this problem?

Best regards,

Patrik Näsfors

[ghisler(Author)]

TC links dynamically to the DLL, but reports an error if any of the functions is missing. This is to ensure that the DLL is valid. Who could have guessed that they would suddently remove functions!? Really a stupid move.

[HAL 9000]

This is to ensure that the DLL is valid. Who could have guessed that they would suddently remove functions!? Really a stupid move.

Checking for totally deprecated insanely insecure sh** that noone sane was using for ~10 years and expecting it to stay there forever ain't exactly smart either.

Please fix this ASAP, this is a complete showstopper for FTP usage (and no, suggestions to use vulnerable OpenSSL versions do not count as solution).

[Hacker]

HAL 9000,

suggestions to use vulnerable OpenSSL versions do not count as solution

Why not? Is TC using any of the vulnerable functions or is it just checking for their presence?

Roman

[HAL 9000]

HAL 9000,
Why not? Is TC using any of the vulnerable functions or is it just checking for their presence?

Uhm... Everything on the system will use that vulnerable OpenSSL version. Let me quote someone else.

Stop asking me for versions of OpenSSL that have security vulnerabilities in them! That would be any version of OpenSSL prior to the absolute latest build. This is a security product and yet people regularly ask me for a version with security vulnerabilities in it! Oh the irony. Please punch yourself in the face to knock some common sense into yourself. Thank you.

[Hacker]

HAL 9000,

Everything on the system will use that vulnerable OpenSSL version.

Huh? Why would any software look for DLLs in TC's installation directory?

Roman

[HAL 9000]

HAL 9000,

Everything on the system will use that vulnerable OpenSSL version.

Huh? Why would any software look for DLLs in TC's installation directory?

Roman

Dunno what you are doing with your machines, I'm installing OpenSSL into system, so the DLLs go to %WinDir%\System32 and %WinDir%\SysWOW64. Seriously have better things to do than maintaing a separate per-app copy of OpenSSL depending on how much screwed the apps happen to be.

Sigh. Fix the stupid bug, end of story.

[wlnx]

My +1 is here. I suspect that ftps is used for security reasons, that's why using insecure openssl versions looks... ehm... a bit strange thing. I use 1.0.2f build for now, but I hope this will be fixed.
Thanks beforehand and great respect.

[karnin]

Any news about this issue?
(In TC9-beta1 there seems to be further developement for TLS-1.1/TLS-1.2, but using beta version in production environment is risky...)