This is the reply from the system admins of the host I am trying to connect to.
"It appears that Directory Opus wants to use a rather old (and insecure) cipher when authenticating with SSH2... We would strongly prefer not to enable the older CDC cipher due to known vulnerabilities in this method.
I would respond to Opus support that they should really implement CTR support in their software for SSH, due to the known security hole in CDC."
Is there any update on this? I just purchased the Advanced FTP module and ran into the same issue (putty can connect just fine, DirOpus claims to use putty for connecting, according to the log, but fails to find a matching cipher). Shouldn't support for standard secure SSH ciphers be the minimum requirement for the Advanced FTP module? After all, that's why we pay extra for it over just using standard FTP.
No update, but it's still on our list. An overhaul of the SFTP code is being considered, but we don't have any final plans to announce yet, and won't for a while as we've only just done a major release and are busy with the work that comes from that.
Re standard SSH ciphers, there are lots of different standards, unfortunately. The ones Opus supports are also supported by the vast majority of servers, but servers are free to add/remove ciphers as they see fit.
I'm still on dopus 10, and this is the only useful hit via Google when searching for dopus ciphers. Based on your comment in March, I assume this hasn't been worked on yet.
OpenSSH 6.7 was released in early October. This build eliminates those insecure ciphers :
[code]Changes since OpenSSH 6.6
Potentially-incompatible changes
sshd(8): The default set of ciphers and MACs has been altered to
remove unsafe algorithms. In particular, CBC ciphers and arcfour*
are disabled by default.
The full set of algorithms remains available if configured
explicitly via the Ciphers and MACs sshd_config options.
[/code]
As it is a public release, this has been adopted by LOTS of servers and other use cases. My own scenario, OpenSSH via Cydia on a jailbroken iPhone, is a standard build. I have attempted to enable the AES256-CDC cipher that dopus uses but the server daemon errors. Enabling arcfour works fine, but dopus doesn't use that. I've fallen back to an older build of OpenSSH, but that's not the best solution considering what it is.
TL;DR: This is rather urgent. Can this be escalated in the todo list?
This is an absolute deal breaker for me. My primary use for DOpus is in working with a large number of remote servers via its FTP integration and as time goes on, I'm more and more unable to connect to servers as they upgrade and the insecure ciphers are removed.
Sorry I don't understand the issue here? Am I missing something?
The SSH and SSL libraries in Opus are current at the time of release of the main version and are progressively updated during the lifetime of that version. Those in the current version of Opus 11 are fully up-to-date with the latest releases. Older version of Opus (8/9/10 etc) are depreciated and will not be updated. If you wish to use protocols released since the release of your older version of Opus 10, then you need to upgrade to Opus 11.
Any update on this issue? My sFTP connections had been working for a few years however in the last couple of months I have been unable to connect Opus.
SFTP works in general. If you have trouble connecting to a site, please start a new thread with proper details, including what the log says. The FAQs have a list of suggestions for FTP/SFTP issues as well, which it makes sense to try first.