Skip to main content

Troubleshooting Cipher Issues

Many cipher-related error messages in third-party apps go away when you upgrade the app to its latest version. We recommend upgrading whenever possible, since newer versions usually bring security and speed improvements as well.

Upgrading is especially worthwhile when it lets you avoid the insecure ciphers setting, which allows older insecure ciphers to be used for connections.

CuteFTP "Error in negotiating SSL connection"

CuteFTP versions prior to 9.2.0 do not support the ciphers needed for Files.com to operate securely. Upgrade to CuteFTP 9.2.0 or later, which fully supports secure encryption.

CuteFTP versions below 9.2.0 work with Files.com only when insecure ciphers are enabled.

SFTP Connection Failed with "DHG1_KEX_FALLBACK" Cipher

The Diffie-Hellman key exchange method implements a fallback for situations where the client and server cannot agree on a cipher strength. A fallback to a weaker cipher requires agreement from both the server and the client. Some clients contain a bug that causes them to ignore the server when it prohibits a fallback, and they attempt to connect using the weaker fallback cipher anyway.

For example, the cipher diffie-hellman-group-exchange-sha256 aes128-ctr hmac-sha1 DHG1_KEX_FALLBACK indicates that the server requested the use of a strong cipher (diffie-hellman-group-exchange-sha256 aes128-ctr hmac-sha1) but the client instead attempted to connect with a weaker fallback cipher (note the DHG1_KEX_FALLBACK part of the cipher string.)

To resolve this issue, and allow the fallback cipher, enable insecure ciphers for your site.

Failed SSH Key Exchange or Bad server public DH value error using Ipswitch WS_FTP or MoveIt

WS_FTP versions prior to 12.6 and MoveIt versions prior to 9.1.0.3.0 do not support the ciphers needed for Files.com to operate securely.

If these apps have been upgraded and key exchange errors persist, there is a known issue with upgrading previous versions of WS_FTP Professional to 12.6 where the ssh-algos.txt file is not updated with the diffie-hellman-group-exchange-sha256 ssh-kex.

To resolve this, manually add that entry to the ssh-algos.txt file located at C:\Users\<user>\AppData\Roaming\Ipswitch\WS_FTP.

Error connecting to REST API with .NET ("An unexpected error occurred on a send")

.NET does not fully support TLS 1.3, which causes this error.

Microsoft .NET versions below 6 don't work with our default secure ciphers.

.NET 6 and newer provide partial TLS 1.3 support only on operating systems with native TLS 1.3 capabilities, specifically Windows 11, Windows Server 2022, or Linux distributions backed by OpenSSL 1.1.1 or later.

.NET 4.5 supports TLS 1.2, but TLS 1.2 is not the default protocol. You need to opt in to use it. The following code makes TLS 1.2 the default, and it must run before any connection to the secured resource: ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

.NET 4.0 does not support TLS 1.2. Upgrade your application to a more recent version of the framework.

If you cannot upgrade your .NET application, use the Insecure Ciphers capability of Files.com.