Troubleshooting Cipher Issues

Many error messages in third party apps related to ciphers will go away by upgrading the version of the app. We always recommend upgrading apps to the latest version because it often brings security and speed benefits.

This is especially true if it prevents you from using our insecure ciphers setting, which allows older insecure ciphers to be used for connections.

CuteFTP "Error in negotiating SSL connection"

CuteFTP versions prior to 9.2.0 do not support the ciphers needed for Files.com to operate securely. Suggest upgrading CuteFTP 9.2.0 or later, which fully supports secure encryption.

CuteFTP versions below 9.2.0 can only be supported using insecure ciphers.

SFTP Connection Failed with "DHG1_KEX_FALLBACK" Cipher

The Diffie-Hellman key exchange method implements a fallback for situations where the client and server cannot agree on a cipher strength. Falling back to a weaker cipher is supposed to be agreed upon by both the server and the client. Some clients contain a bug, causing them to ignore the server when it prohibits a fallback, and instead try to connect using the weaker fallback cipher.

For example, the cipher diffie-hellman-group-exchange-sha256 aes128-ctr hmac-sha1 DHG1_KEX_FALLBACK indicates that the server requested the use of a strong cipher (diffie-hellman-group-exchange-sha256 aes128-ctr hmac-sha1) but the client instead attempted to connect with a weaker fallback cipher (note the DHG1_KEX_FALLBACK part of the cipher string.)

To resolve this issue, and allow the fallback cipher, enable insecure ciphers for your site.

Failed SSH Key Exchange or Bad server public DH value error using Ipswitch WS_FTP or MoveIt

WS_FTP versions prior to 12.6 and MoveIt versions prior to 9.1.0.3.0 do not support the ciphers needed for Files.com to operate securely.

If these apps have already been upgraded, and are still receiving key exchange errors, note that there is a known issue with upgrading previous versions of WS_FTP Professional to 12.6 where the ssh-algos.txt file is not updated with the following ssh-kex: diffie-hellman-group-exchange-sha256.

Users can manually add this to the ssh-algos.txt file located at: C:\Users\<user>\AppData\Roaming\Ipswitch\WS_FTP to resolve this.

Error connecting to REST API with .NET ("An unexpected error occurred on a send")

As of May 2025, .NET does not fully support TLS 1.3, which causes this error to occur.

Microsoft .NET versions below 6 don't work with our default secure ciphers.

.NET 6 and newer provide partial TLS 1.3 support only on operating systems with native TLS 1.3 capabilities, specifically Windows 11, Windows Server 2022, or Linux distributions backed by OpenSSL 1.1.1 or later.

For .NET 4.5., TLS 1.2 is supported, but it’s not a default protocol. You need to opt-in to use it. The following code will make TLS 1.2 default - make sure to execute it before making a connection to the secured resource: ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

For .NET 4.0., TLS 1.2 is not supported. Upgrade your application to a more recent version of the framework.

If you are unable to upgrade your .NET application, you will need to use the Insecure Ciphers capability of Files.com.