Support ECHDE cipher suites

[cyberduck]

34092a6 created the issue

Here's my Apache/2.4.4 (FreeBSD) OpenSSL/1.0.1e configuration:

SSLProtocol -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA

here's the target WebDAV/S resource:

URL: https://teban.pixi.me
Remote Path: /w/webdav/
Username: webdav
Password: webdav

When I attempt to connect, I get the following error from Cyberduck 4.3.1

 I/O Error: Connection failed, Received fatal alert: handshake_failure.

So my questions are as follows:

1. is SSLv3 a requirement for Cyberduck to connect with an HTTPS endpoint?
2. does it / will it support ECHDE ciphersuites alongside TLSv1-1.2 protocols?

Please advise, thank you!

[cyberduck]

@dkocher commented

The negotiation works here with the latest snapshot build as these builds have an updated SSL stack.

HEAD /w/webdav/ HTTP/1.1
Host: teban.pixi.me
Connection: Keep-Alive
User-Agent: Cyberduck/4.4 (Mac OS X/10.8.4) (x86_64)
Authorization: Basic d2ViZGF2OndlYmRhdg==
HTTP/1.1 403 Forbidden
Date: Sat, 13 Jul 2013 09:41:48 GMT
Server: Apache
Keep-Alive: timeout=6
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
PROPFIND /w/webdav/ HTTP/1.1
Depth: 1
Content-Type: text/xml; charset=utf-8
Content-Length: 0
Host: teban.pixi.me
Connection: Keep-Alive
User-Agent: Cyberduck/4.4 (Mac OS X/10.8.4) (x86_64)
Authorization: Basic d2ViZGF2OndlYmRhdg==
HTTP/1.1 403 Forbidden
Date: Sat, 13 Jul 2013 09:41:48 GMT
Server: Apache
Content-Length: 1
Keep-Alive: timeout=6
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

[cyberduck]

34092a6 commented

hi David,

Thank you for adding support for ECHDE ciphers with the latest build. I was able to test it with Cyberduck-11917.tar - the only issue I have now is why my uploads still end up as 0-bytes even when the Cyberduck GUI verified with an "upload complete" notice?

on the backup, Apache logs the PUT request as 200 (success) with 663 bytes out, 390 bytes in but the actual filesize is 139KB

x.x.x.x teban.pixi.me [13/Jul/2013:09:37:25 -0400] webdav "PUT /w/webdav/sjjsk/telma-042313-filtered1.jpg HTTP/1.1" 200 663 390 "-" "Cyberduck/4.4 (Mac OS X/10.7.5) (x86_64)"


x.x.x.x teban.pixi.me [13/Jul/2013:09:37:25 -0400] webdav "PROPFIND /w/webdav/sjjsk/ HTTP/1.1" 207 711 3184 "-" "Cyberduck/4.4 (Mac OS X/10.7.5) (x86_64)"

All other WebDAV/S clients I've tested except Cyberduck works, even curl works with

curl -u webdav:webdav -T /path/to/local/filename https://teban.pixi.me/w/webdav/

I will pay for a license from the Mac App Store if I can get this working somehow.
Please advise, thank you!

[cyberduck]

@dkocher commented

Replying to [comment:3 wwwpixime]:

hi David,

Thank you for adding support for ECHDE ciphers with the latest build. I was able to test it with Cyberduck-11917.tar - the only issue I have now is why my uploads still end up as 0-bytes even when the Cyberduck GUI verified with an "upload complete" notice?

on the backup, Apache logs the PUT request as 200 (success) with 663 bytes out, 390 bytes in but the actual filesize is 139KB

x.x.x.x teban.pixi.me [13/Jul/2013:09:37:25 -0400] webdav "PUT /w/webdav/sjjsk/telma-042313-filtered1.jpg HTTP/1.1" 200 663 390 "-" "Cyberduck/4.4 (Mac OS X/10.7.5) (x86_64)"


x.x.x.x teban.pixi.me [13/Jul/2013:09:37:25 -0400] webdav "PROPFIND /w/webdav/sjjsk/ HTTP/1.1" 207 711 3184 "-" "Cyberduck/4.4 (Mac OS X/10.7.5) (x86_64)"

All other WebDAV/S clients I've tested except Cyberduck works, even curl works with

curl -u webdav:webdav -T /path/to/local/filename https://teban.pixi.me/w/webdav/

I will pay for a license from the Mac App Store if I can get this working somehow.
Please advise, thank you!

This is an entirely different issue caused by a regression in current unstable snapshot builds. Can you replicate this with build 3aff618 or later? Then please find any related output in the system.log (/Applications/Utilities/Console.app).

[cyberduck]

34092a6 commented

just confirming ECDHE support is working for Mac OS X (latest built) - but the Windows build only supports RC4-SHA (latest build)

[cyberduck]

@dkocher commented

Replying to [comment:5 wwwpixime]:

just confirming ECDHE support is working for Mac OS X (latest built) - but the Windows build only supports RC4-SHA (latest build)
In #7637.