Articles and news

We are pleased to announce the latest release of SFTPPlus, version 3.8.0.

In this release we expanded the list of supported Linux distribution to include Ubuntu 16.04 LTS on X86_64. We have also added an experimental Linux build for hardened distribution build with an OpenSSL without SSLv3.

Here is the list of the important new functionalities:

• Event with ID 10042 is now emitted for all FTP command channels which are not closed in a clean way. [ftp][ftps]
• Add support for Syslog over TCP as documented in RFC 6587. [syslog]

This release was focused on reducing the number of known defects and improving the quality of the product. Here is the list of the main defects fixed in this release:

• Transfers that process multiple files in distinct batches are working now.
• Syslog messages are now formatted according to RFC 3164 also known as syslog-bsd.
• Fix new line delimiter conversion for server-side FTP downloads in ASCII mode.]

These are just the highlights of this release. For more details, including the full list of changes, please see the full release notes.

We are pleased to announce the latest release of SFTPPlus, version 3.7.0.

Here is the list of the important new functionalities:

• The OpenSSL version distributed in our Windows version was updated to OpenSSL 1.0.2g.
• The SSH protocol was updated to support hmac-sha2-256, diffie-hellman-group14-sha1, and diffie-hellman-group-exchange-sha256.
• SFTP and SCP server-side file close operations now emit dedicated event ids. In this way you can filter file upload or download operations based on a specific event ID. The previous event with ID 30017 is now used only when the file was not opened in read-only or write-only mode. [SFTP][SCP]
• Allow simple negation of the regular expression used in source filter. In this way you don't need to use look-around zero-length assertion regex rules to exclude a certain pattern.

This release was focused on reducing the number of known defects and improving the quality of the product. Here is the list of the main defects fixed in this release:

• The SCP server-side implementation now sends a response for successful SCP initialization, before starting to process the SCP transfer requests. This fixes a bug in which the Cisco SCP client (SSH-1.99-Cisco-1.25 implementation) hangs when SCP is initialized. For example when running copy start scp://10.0.2.1/some-file.
• Allow using the file dispatcher with any event from the file-operation group. Previously only the FTP upload events were supported. [#3366]
• Fix parsing the SCP arguments for client sending command line arguments with leading spaces. This affect the integration with the SCP client available on Cisco ASA and ASAv systems.

These are just the highlights of this release. For more details, including the full list of changes, please see the full release notes.

SFTPPlus Team announces a new release of SFTPPlus Client, version 1.5.61.

In this version we have fixed a regression in which SFTP transfer using absolute inbox path were failing.

In this release we have also added support for running the SFTPPlus client from an installation folder containing space characters.

For more details, please see the full release notes.

We are pleased to announce the latest release of SFTPPlus, version 3.6.0.

Here is the list of the important new functionalities:

• The OpenSSL version used by SFTPPlus is advertised as part of the events generated when starting the SFTPPlus process, as well as in the Local Manager status page.
• Now you can configure the source port used by the FTP and FTPS services to initiate active data connections. [ftp][ftps]
• The matching rules for file dispatching are now applied to the full path, not only to the file name.

This release was focused on reducing the number of known defects and improving the quality of the product. Here is the list of the main defects fixed in this release:

• When a transfer requires multiple files to be transferred, they are now queued so that the files are transferred sequentially, one at a time. [#3131]
• When a location fails to start, it is no longer auto-started by a transfer. Now it needs to be manually started after the failure was investigated. All components/transfer trying to use a location which failed, will also have their operation failed. [#3176]
• Locations are now auto-started in the correct state, emitting an event and not leaving them in a 'restart-required' state. [#3176]
• The file transfer services secured by TLS/SSL and using a CRL will automatically stop/fail if the CRL can not be updated at runtime. In previous versions a warning was raised but the file transfer service continued to operate with a version of CRL which was previously loaded, resulting in an insecure operation. [security] [#3216]
• The files already present on the source location for a transfer are now filtered based on the transfer configuration and processed only after they are stable. [#3223]
• The file dispatcher event handler now no longer enters an infinite loop by handling its own events. [#3261]
• No internal server error is now produced when failing to remove the remote file after the file was successfully transferred on the local machine. [client] [#3283]
• Starting the Local Manager or the documentation pages from the Windows Start menu or using the command line using the admin-commands manager command, now successfully opens the default browser. [local-manager] [#3295]

These are just the highlights of this release. For more details, including the full list of changes, please see the full release notes.

SFTPPlus Server versions 1.6 and newer are not vulnerable to the DROWN attack.

SFTPPlus versions 3 and newer are also not vulnerable to it.

The DROWN attack targets server-side products, thus SFTPPlus client is not vulnerable to it.

SFTPPlus relies on OpenSSL for the SSL and TLS protocols used in implementing the FTPS and HTTPS protocols. The Unix and Linux versions of SFTPPlus use the OpenSSL libraries provided by the operating system. The Windows versions of SFTPPlus use the included OpenSSL libraries.

However, support for SSL version 2 was never available in SFTPPlus, thus SFTPPlus users are not exposed to any vulnerability related to the use of SSL v2. More so, SSL and TLS security contexts are always configured with NO_SSLv2. So, even if you are using an OpenSSL version with support for SSL v2, version 2 is explicitly denied in SFTPPlus.

The SFTP protocol is based on the SSH protocol and is not affected by SSL or TLS bugs.