This forum uses cookies. Click X button to hide this message. What is stored? / Privacy
Total Commander Forum Index Total Commander
Forum - Public Discussion and Support
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

OpenSSL 1.0.2g can not open a secure FTP-connection.
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Total Commander Forum Index -> TC8.5x bug reports (English) Printable version
View previous topic :: View next topic  
Author Message
tm8544
Junior Member
Junior Member


Joined: 29 Nov 2008
Posts: 14
Location: Finland

PostPosted: Sat Mar 05, 2016 3:45 am    Post subject: OpenSSL 1.0.2g can not open a secure FTP-connection. Reply with quote

After update to OpenSSL 1.0.2g, Total Commander 8.52a can not open a secure FTP-connection.

TC shows message "SSL: Error loading function SSLv2_client_method"

Propably has something to do with disabling SSLv2 in 1.0.2g (see openssl.org announcement: SSLv2 is now by default disabled at build-time.)
Back to top
View user's profile Send private message
beb
Junior Member
Junior Member


Joined: 20 Sep 2009
Posts: 35
Location: Odessa, Ukraine

PostPosted: Sat Mar 05, 2016 6:19 pm    Post subject: Reply with quote

Confirmed. Looks like critical.
_________________
#278521 User License
Total Commander 9.0a x86/x64 on Win10 x64
Total Commander 2.72 on Android 5.1.1
Back to top
View user's profile Send private message
ghisler(Author)
Site Admin
Site Admin


Joined: 04 Feb 2003
Posts: 35455
Location: Switzerland

PostPosted: Mon Mar 07, 2016 4:54 am    Post subject: Reply with quote

Sorry, TC cannot load the dll because the function SSLv2_client_method isn't exported any more. I will try to support it in TC9. It's very bad practice by them to just remove functions instead of returning an error, it will break a lot of programs which link statically to the dll. TC links dynamically via LoadLibrary, but checks whether functions are missing and refuses to use the dll if any are missing.
_________________
Author of Total Commander
http://www.ghisler.com
Back to top
View user's profile Send private message Send e-mail Visit poster's website
HAL 9000
Senior Member
Senior Member


Joined: 10 Sep 2007
Posts: 378

PostPosted: Wed Mar 16, 2016 3:05 am    Post subject: Reply with quote

There are 0 valid reasons to check for functions that have been totally insecure for ages. SSL is now completely unusable in TC, this legacy POS ain't available in 1.0.1s either. So - not really sure what you mean by "I will try to support it in TC9" Shocked Exclamation
Back to top
View user's profile Send private message
ghisler(Author)
Site Admin
Site Admin


Joined: 04 Feb 2003
Posts: 35455
Location: Switzerland

PostPosted: Thu Mar 17, 2016 5:36 am    Post subject: Reply with quote

It means that I will try to support the new dll. The function SLv2_client_method is still used to check what method was chosen during the connection, so it's a very bad idea by them to simply remove it.
_________________
Author of Total Commander
http://www.ghisler.com
Back to top
View user's profile Send private message Send e-mail Visit poster's website
karnin
Junior Member
Junior Member


Joined: 28 Feb 2005
Posts: 57

PostPosted: Fri Mar 18, 2016 2:33 am    Post subject: Re: OpenSSL 1.0.2g can not open a secure FTP-connection. Reply with quote

tm8544 wrote:
TC shows message "SSL: Error loading function SSLv2_client_method"

Confirmed, same problem... Crying or Very sad

Edit:
Last working OpenSSL-version 1.0.2f can be downloaded here:
https://www.dropbox.com/s/yze8j3mcv9py7ua/Win32OpenSSL_1_0_2f_TCmd852a.zip?dl=0
(32+64-bit version)

Regards
Back to top
View user's profile Send private message
PatrikNasfors
Junior Member
Junior Member


Joined: 29 Mar 2016
Posts: 3
Location: Denmark

PostPosted: Tue Mar 29, 2016 7:24 am    Post subject: Reply with quote

Hi all,

I just bumped into this thread, because I got an error message saying OpenDLL library not found, when trying to activate SSL/TLS for an FTP connection, with OpenSSL DLL's from version 1.0.2g.

A short research, makes me ask the following:
Does Total Commander really use the SLv2_client_method, when initiating a secure connection?

According to the OpenSSL 1.0.2 manpages for SSLv2_client_method (sorry for being a new member, so I can't pase link yet, but you can probably find it yourself Smile ), "A TLS/SSL connection established with these methods will only understand the SSLv2 protocol".

If that's true, newer and better versions of SSL and TLS are never used!

Instead, I think SSLv23_client_method should be used.

"These are the general-purpose version-flexible SSL/TLS methods. The actual protocol version used will be negotiated to the highest version mutually supported by the client and the server. The supported protocols are SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2. Most applications should use these method, and avoid the version specific methods described below."

I don't know anything about how Total Commander is build and using these DLL's, but wouldn't it be possible to "just" use this function instead, to solve this problem?

Best regards,

Patrik Näsfors
Back to top
View user's profile Send private message Send e-mail
ghisler(Author)
Site Admin
Site Admin


Joined: 04 Feb 2003
Posts: 35455
Location: Switzerland

PostPosted: Thu Mar 31, 2016 3:30 am    Post subject: Reply with quote

TC links dynamically to the DLL, but reports an error if any of the functions is missing. This is to ensure that the DLL is valid. Who could have guessed that they would suddently remove functions!? Really a stupid move.
_________________
Author of Total Commander
http://www.ghisler.com
Back to top
View user's profile Send private message Send e-mail Visit poster's website
HAL 9000
Senior Member
Senior Member


Joined: 10 Sep 2007
Posts: 378

PostPosted: Sat Apr 02, 2016 3:17 am    Post subject: Reply with quote

ghisler(Author) wrote:
This is to ensure that the DLL is valid. Who could have guessed that they would suddently remove functions!? Really a stupid move.


Checking for totally deprecated insanely insecure sh** that noone sane was using for ~10 years and expecting it to stay there forever ain't exactly smart either. Rolling Eyes

Please fix this ASAP, this is a complete showstopper for FTP usage (and no, suggestions to use vulnerable OpenSSL versions do not count as solution).
Back to top
View user's profile Send private message
Hacker
Moderator
Moderator


Joined: 06 Feb 2003
Posts: 10851
Location: Bratislava, Slovakia

PostPosted: Sat Apr 02, 2016 4:28 am    Post subject: Reply with quote

HAL 9000,
Quote:
suggestions to use vulnerable OpenSSL versions do not count as solution

Why not? Is TC using any of the vulnerable functions or is it just checking for their presence?

Roman
_________________
Mal angenommen, du drückst Strg+F, wählst die FTP-Verbindung (mit gespeichertem Passwort), klickst aber nicht auf Verbinden, sondern fällst tot um.
Back to top
View user's profile Send private message Send e-mail
HAL 9000
Senior Member
Senior Member


Joined: 10 Sep 2007
Posts: 378

PostPosted: Wed Apr 20, 2016 11:33 am    Post subject: Reply with quote

Hacker wrote:
HAL 9000,
Why not? Is TC using any of the vulnerable functions or is it just checking for their presence?


Uhm... Everything on the system will use that vulnerable OpenSSL version. Let me quote someone else.

Quote:

Stop asking me for versions of OpenSSL that have security vulnerabilities in them! That would be any version of OpenSSL prior to the absolute latest build. This is a security product and yet people regularly ask me for a version with security vulnerabilities in it! Oh the irony. Please punch yourself in the face to knock some common sense into yourself. Thank you.


Rolling Eyes Crying or Very sad
Back to top
View user's profile Send private message
Hacker
Moderator
Moderator


Joined: 06 Feb 2003
Posts: 10851
Location: Bratislava, Slovakia

PostPosted: Wed Apr 20, 2016 2:40 pm    Post subject: Reply with quote

HAL 9000,
Quote:
Everything on the system will use that vulnerable OpenSSL version.

Huh? Why would any software look for DLLs in TC's installation directory?

Roman
_________________
Mal angenommen, du drückst Strg+F, wählst die FTP-Verbindung (mit gespeichertem Passwort), klickst aber nicht auf Verbinden, sondern fällst tot um.
Back to top
View user's profile Send private message Send e-mail
HAL 9000
Senior Member
Senior Member


Joined: 10 Sep 2007
Posts: 378

PostPosted: Sun Apr 24, 2016 12:44 pm    Post subject: Reply with quote

Hacker wrote:
HAL 9000,
Quote:
Everything on the system will use that vulnerable OpenSSL version.

Huh? Why would any software look for DLLs in TC's installation directory?

Roman


Dunno what you are doing with your machines, I'm installing OpenSSL into system, so the DLLs go to %WinDir%\System32 and %WinDir%\SysWOW64. Seriously have better things to do than maintaing a separate per-app copy of OpenSSL depending on how much screwed the apps happen to be.

Sigh. Fix the stupid bug, end of story.
Back to top
View user's profile Send private message
wlnx
Junior Member
Junior Member


Joined: 08 Sep 2012
Posts: 2

PostPosted: Tue Apr 26, 2016 3:25 pm    Post subject: SSLv2_client_method Reply with quote

My +1 is here. I suspect that ftps is used for security reasons, that's why using insecure openssl versions looks... ehm... a bit strange thing. I use 1.0.2f build for now, but I hope this will be fixed.
Thanks beforehand and great respect.
Back to top
View user's profile Send private message
karnin
Junior Member
Junior Member


Joined: 28 Feb 2005
Posts: 57

PostPosted: Thu Jun 09, 2016 1:08 am    Post subject: Reply with quote

Any news about this issue?
(In TC9-beta1 there seems to be further developement for TLS-1.1/TLS-1.2, but using beta version in production environment is risky...)
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Total Commander Forum Index -> TC8.5x bug reports (English) All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Imprint/Impressum: This site is maintained by Ghisler Software GmbH
Privacy Policy | Datenschutzerklärung | Politique de Confidentialité

Using phpBB © phpBB Group