no ECDHE cipher suites in vsftpd

Bug #1301808 reported by bitbeans
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
vsftpd (Ubuntu)
New
Undecided
Unassigned

Bug Description

Systeminfo:

Description: Ubuntu 12.04.4 LTS
Release: 12.04

vsftpd:
  Installed: 3.0.2-1ubuntu2
  Candidate: 3.0.2-1ubuntu2
  Version table:
 *** 3.0.2-1ubuntu2 0
        100 /var/lib/dpkg/status
     2.3.5-1ubuntu2 0
        500 http://mirror.hetzner.de/ubuntu/packages/ precise/main amd64 Packages

Problem:

When i try to configure my vsftpd server to use ECDHE based ciphers, i get the following error (no shared cipher) in the vsftpd.log file.

Thu Apr 3 10:26:58 2014 [pid 20595] CONNECT: Client "<CLIENTIP>"
Thu Apr 3 10:26:58 2014 [pid 20595] FTP response: Client "<CLIENTIP>", "220 v1"
Thu Apr 3 10:26:58 2014 [pid 20595] FTP command: Client "<CLIENTIP>", "AUTH TLS"
Thu Apr 3 10:26:58 2014 [pid 20595] FTP response: Client "<CLIENTIP>", "234 Proceed with negotiation."
Thu Apr 3 10:26:58 2014 [pid 20595] DEBUG: Client "<CLIENTIP>", "SSL_accept failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher"

Tests:

Ciphers i have tested (only high security, so: no SHA):

 openssl ciphers -v 'EECDH+AESGCM EDH+AESGCM EECDH -RC4 -EDH -CAMELLIA -SEED !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !SHA'

ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256

The problem also comes up with:

ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1

We need this feature for higher security on all ftps transfers.

Revision history for this message
Jamie Strandboge (jdstrand) wrote : Bug is not a security issue

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.