OpenSSL 1.0.2g can not open a secure FTP-connection.

Please report only one bug per message!

Moderators: white, sheep, Hacker, Stefan2

tm8544
Junior Member
Junior Member
Posts: 14
Joined: 2008-11-29, 08:11 UTC
Location: Finland

OpenSSL 1.0.2g can not open a secure FTP-connection.

Post by *tm8544 » 2016-03-05, 09:45 UTC

After update to OpenSSL 1.0.2g, Total Commander 8.52a can not open a secure FTP-connection.

TC shows message "SSL: Error loading function SSLv2_client_method"

Propably has something to do with disabling SSLv2 in 1.0.2g (see openssl.org announcement: SSLv2 is now by default disabled at build-time.)

beb
Junior Member
Junior Member
Posts: 35
Joined: 2009-09-20, 08:03 UTC
Location: Odessa, Ukraine

Post by *beb » 2016-03-06, 00:19 UTC

Confirmed. Looks like critical.
#278521 User License
Total Commander 9.0a x86/x64 on Win10 x64
Total Commander 2.72 on Android 5.1.1

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 36434
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) » 2016-03-07, 10:54 UTC

Sorry, TC cannot load the dll because the function SSLv2_client_method isn't exported any more. I will try to support it in TC9. It's very bad practice by them to just remove functions instead of returning an error, it will break a lot of programs which link statically to the dll. TC links dynamically via LoadLibrary, but checks whether functions are missing and refuses to use the dll if any are missing.
Author of Total Commander
http://www.ghisler.com

HAL 9000
Senior Member
Senior Member
Posts: 384
Joined: 2007-09-10, 13:05 UTC

Post by *HAL 9000 » 2016-03-16, 09:05 UTC

There are 0 valid reasons to check for functions that have been totally insecure for ages. SSL is now completely unusable in TC, this legacy POS ain't available in 1.0.1s either. So - not really sure what you mean by "I will try to support it in TC9" :shock: :!:

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 36434
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) » 2016-03-17, 11:36 UTC

It means that I will try to support the new dll. The function SLv2_client_method is still used to check what method was chosen during the connection, so it's a very bad idea by them to simply remove it.
Author of Total Commander
http://www.ghisler.com

karnin
Junior Member
Junior Member
Posts: 57
Joined: 2005-02-28, 08:57 UTC

Re: OpenSSL 1.0.2g can not open a secure FTP-connection.

Post by *karnin » 2016-03-18, 08:33 UTC

tm8544 wrote:TC shows message "SSL: Error loading function SSLv2_client_method"
Confirmed, same problem... :cry:

Edit:
Last working OpenSSL-version 1.0.2f can be downloaded here:
https://www.dropbox.com/s/yze8j3mcv9py7ua/Win32OpenSSL_1_0_2f_TCmd852a.zip?dl=0
(32+64-bit version)

Regards

PatrikNasfors
Junior Member
Junior Member
Posts: 3
Joined: 2016-03-29, 11:33 UTC
Location: Denmark

Post by *PatrikNasfors » 2016-03-29, 13:24 UTC

Hi all,

I just bumped into this thread, because I got an error message saying OpenDLL library not found, when trying to activate SSL/TLS for an FTP connection, with OpenSSL DLL's from version 1.0.2g.

A short research, makes me ask the following:
Does Total Commander really use the SLv2_client_method, when initiating a secure connection?

According to the OpenSSL 1.0.2 manpages for SSLv2_client_method (sorry for being a new member, so I can't pase link yet, but you can probably find it yourself :-) ), "A TLS/SSL connection established with these methods will only understand the SSLv2 protocol".

If that's true, newer and better versions of SSL and TLS are never used!

Instead, I think SSLv23_client_method should be used.

"These are the general-purpose version-flexible SSL/TLS methods. The actual protocol version used will be negotiated to the highest version mutually supported by the client and the server. The supported protocols are SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2. Most applications should use these method, and avoid the version specific methods described below."

I don't know anything about how Total Commander is build and using these DLL's, but wouldn't it be possible to "just" use this function instead, to solve this problem?

Best regards,

Patrik Näsfors

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 36434
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) » 2016-03-31, 09:30 UTC

TC links dynamically to the DLL, but reports an error if any of the functions is missing. This is to ensure that the DLL is valid. Who could have guessed that they would suddently remove functions!? Really a stupid move.
Author of Total Commander
http://www.ghisler.com

HAL 9000
Senior Member
Senior Member
Posts: 384
Joined: 2007-09-10, 13:05 UTC

Post by *HAL 9000 » 2016-04-02, 09:17 UTC

ghisler(Author) wrote:This is to ensure that the DLL is valid. Who could have guessed that they would suddently remove functions!? Really a stupid move.
Checking for totally deprecated insanely insecure sh** that noone sane was using for ~10 years and expecting it to stay there forever ain't exactly smart either. :roll:

Please fix this ASAP, this is a complete showstopper for FTP usage (and no, suggestions to use vulnerable OpenSSL versions do not count as solution).

User avatar
Hacker
Moderator
Moderator
Posts: 11023
Joined: 2003-02-06, 14:56 UTC
Location: Bratislava, Slovakia

Post by *Hacker » 2016-04-02, 10:28 UTC

HAL 9000,
suggestions to use vulnerable OpenSSL versions do not count as solution
Why not? Is TC using any of the vulnerable functions or is it just checking for their presence?

Roman
Mal angenommen, du drückst Strg+F, wählst die FTP-Verbindung (mit gespeichertem Passwort), klickst aber nicht auf Verbinden, sondern fällst tot um.

HAL 9000
Senior Member
Senior Member
Posts: 384
Joined: 2007-09-10, 13:05 UTC

Post by *HAL 9000 » 2016-04-20, 17:33 UTC

Hacker wrote:HAL 9000,
Why not? Is TC using any of the vulnerable functions or is it just checking for their presence?
Uhm... Everything on the system will use that vulnerable OpenSSL version. Let me quote someone else.
Stop asking me for versions of OpenSSL that have security vulnerabilities in them! That would be any version of OpenSSL prior to the absolute latest build. This is a security product and yet people regularly ask me for a version with security vulnerabilities in it! Oh the irony. Please punch yourself in the face to knock some common sense into yourself. Thank you.
:roll: :cry:

User avatar
Hacker
Moderator
Moderator
Posts: 11023
Joined: 2003-02-06, 14:56 UTC
Location: Bratislava, Slovakia

Post by *Hacker » 2016-04-20, 20:40 UTC

HAL 9000,
Everything on the system will use that vulnerable OpenSSL version.
Huh? Why would any software look for DLLs in TC's installation directory?

Roman
Mal angenommen, du drückst Strg+F, wählst die FTP-Verbindung (mit gespeichertem Passwort), klickst aber nicht auf Verbinden, sondern fällst tot um.

HAL 9000
Senior Member
Senior Member
Posts: 384
Joined: 2007-09-10, 13:05 UTC

Post by *HAL 9000 » 2016-04-24, 18:44 UTC

Hacker wrote:HAL 9000,
Everything on the system will use that vulnerable OpenSSL version.
Huh? Why would any software look for DLLs in TC's installation directory?

Roman
Dunno what you are doing with your machines, I'm installing OpenSSL into system, so the DLLs go to %WinDir%\System32 and %WinDir%\SysWOW64. Seriously have better things to do than maintaing a separate per-app copy of OpenSSL depending on how much screwed the apps happen to be.

Sigh. Fix the stupid bug, end of story.

wlnx
Junior Member
Junior Member
Posts: 2
Joined: 2012-09-08, 15:16 UTC

SSLv2_client_method

Post by *wlnx » 2016-04-26, 21:25 UTC

My +1 is here. I suspect that ftps is used for security reasons, that's why using insecure openssl versions looks... ehm... a bit strange thing. I use 1.0.2f build for now, but I hope this will be fixed.
Thanks beforehand and great respect.

karnin
Junior Member
Junior Member
Posts: 57
Joined: 2005-02-28, 08:57 UTC

Post by *karnin » 2016-06-09, 07:08 UTC

Any news about this issue?
(In TC9-beta1 there seems to be further developement for TLS-1.1/TLS-1.2, but using beta version in production environment is risky...)

Post Reply