2016-12-19 Version 2016 R3 #
(build number 6198)
Elliptic curve cryptography in SSH
All Rebex components utilizing our SSH library now support
SSH key exchange algorithms based on Elliptic Curve Diffie-Hellman (ECDH) algorithm and
SSH host key algorithms based on Elliptic Curve DSA (ECDSA) and Edwards-curve DSA (EdDSA) algorithms:
Please note that external plugins might be needed for some of those algorithms or curves on some platforms.
New OpenSSH key format support
PrivateKeyInfo objects can read server and client keys utilizing
the new OpenSSH key format (Base64-encoded keys with
"BEGIN OPENSSH PRIVATE KEY" header).
This format is usually used to store ED25519 or ECDSA keys.
Fine-tuning enabled ciphers in SSH
SshParameters only made it possible to enable/disable groups of ciphers.
Now, it's possible to fine-tune the list of supported algorithms, including their preferred order (client-side only) using
Please note that
MacAlgorithms properties still apply - a cipher is only used
when it is enabled by both the method and property.
Disabled weak algorithms in SSH
Several legacy ciphers are now disabled by default:
SshParameters.EncryptionAlgorithms to enable them.
Weak RSA server host keys shorter than 1024 bits are now rejected by default.
SshParameters.MinimumRsaKeySize property to specify a custom key size.
Complete list of changes of version 2016 R3
- File Server: Renamed FileServerUser constructor's physicalRootPath argument to virtualRootPath.
- File Server: Added support for "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521" and "firstname.lastname@example.org" key exchange algorithms (plugins needed to enable them).
- File Server: Proper maximum packet size used when sending channel data (instead of hardcoded value).
- File Server: Fixed rename operation that used to fail for directories located in the physical disk's root directory.
- File Server: Fixed a bug that could cause timeout and session failure during SSH session renegotiation.
- File Server: Added support for "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521" and "ssh-ed25519" host key algorithms (plugins might be needed on some platforms).
- File Server: Both RSA and DSA certificates can be used as host key at the same time.
- Networking: Enhanced and optimized HTTP/HTTPS client core.
- Networking: Connect/Listen methods on ProxySocket/TlsSocket objects now throw an exception when called twice on the same socket.
- Networking: Added SocketInformation constructor.
- SSH: Added support for "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521" and "email@example.com" key exchange algorithms (plugins might be needed on some platforms).
- SSH: Added support for new OpenSSH key format (Base64-encoded keys with "BEGIN OPENSSH PRIVATE KEY" header).
- SSH: Added SetKeyExchangeAlgorithms, SetHostKeyAlgorithms, SetMacAlgorithms methods to SshParameters object to make it possible to fine-tune the list of enabled SSH ciphers.
- SSH: Legacy Diffie-Hellman group exchange is only used with legacy SSH servers.
- SSH: Added SshSession.ServerInfo property to make it possible to determine ciphers supported by the SSH server.
- SSH: Added SshPublicKey.KeySize property.
- SSH: Added SshParameters.MinimumRsaKeySize property specifying to connect only to SSH servers with RSA server key of given size or higher.
- SSH: Added support for "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521" and "ssh-ed25519" host key algorithms (plugins might be needed on some platforms).
- SSH: Disabled weak SSH ciphers by default (they can still be enabled explicitly).
- SSH: Check availability of associated private key when adding a certificate-based server host key.
- SSL: Added support for Elliptic-Curve based TLS ciphers (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA) with NIST P-256/P-384/P-521, Curve 25519 and Brainpool P256R1/P384R1/P512R1 curves. Plugins are needed for some of those.
- SSL: Server name is now passed to TLS server during negotiation (use TlsParameters.CommonName to override it).
- SSL: Fixed TlsCipherSuite.All to include all recently added cipher suites.
- SSL: All legacy 'EXPORT1024' ciphers are now prohibited by default in addition to already-prohibited 'EXPORT' ciphers (unless AllowVulnerableSuites option is enabled).
- SSL: Fixed issues with some legacy TLS/SSL ciphers (all of them were already disabled by default).
- SSL: Enhanced error reporting in server-side TLS/SSL library.
- Cryptography: Improved ASN.1 time node parser.
- Cryptography: Added support for certificate validation on Universal Windows Platform.
- Cryptography: Added custom X509 certificate validator for .NET Compact Framework with full SHA-2 support on all platforms.
- Cryptography: Fixed parsing of 'Intended Usage' extension when 'Decipher Only' was specified.
- Cryptography: Added static Create method to SHA256Managed/SHA384Managed/SHA512Managed classes on .NET Compact Framework.
- Cryptography: ValidationResult.ErrorCode deprecated and replaced with NativeErrorCode.
- Cryptography: Optimized memory usage in CMS/PKCS #7 (SingedData/EnvelopedData classes).
- Cryptography: Added missing argument checks to CertificateIssuer methods.
- Cryptography: Added support for Base64-encoded files with CRLF end-of-line sequences to CertificateChain.LoadP7b method.
- Cryptography: Fixed HMAC calculation based on SHA-384 and SHA-521 on NET Compact Framework and Mono platforms.
- Cryptography: Added Rebex.Security.Certificates.CertificateEngine class to make it possible to implement custom X509 chain building and validation engines.
- Core: Added ConsoleLogWriter for Xamarin platforms.
- Core: Added Rebex.TeeLogWriter class that makes it possible to log to multiple log writers.
- Core: Added LocalItem.GetChecksum methods and related types.
2016-08-26 Version 2016 R2.2 #
(build number 6083)
This update brings several improvements, workarounds and bugfixes.
Complete list of changes of version 2016 R2.2
- File Server: Fixed FileUploaded/FileDownloaded events that used to be wrongly called on session failure.
- SSH: Enhanced handling of errors in FingerprintCheck event handlers.
- SSL: Fixed a rare issue in abbreviated TLS/SSL negotiation handling.
- Cryptography: Added CheckCertificate/GetIssuingDistributionPoint methods to CertificateRevocationList class and ValidateRevocationList method to Certificate class.
- Cryptography: Added support for certificates with private keys stored in CNG Key Storage Providers.
- Cryptography: Enhanced SHA-2 support check on .NET Compact Framework.
- Cryptography: Fixed SHA-2 support in AsymmetricKeyAlgorithm.SignHash on Windows Server 2008 (and possibly other old platforms).
- Core: Added workaround for broken FileStream.SetLength on some .NET Compact Framework platforms.
2016-07-28 Version 2016 R2.1 #
(build number 6054)
Fixed RSA-based session negotiation
In 2016 R2, File Server always attempted to use RSAManaged to create an RSA signature instead of using RSACryptoServiceProvider whenever possible.
Experimental support for Universal Windows Platform
Rebex File Server binaries for Universal Windows Platform are now available.
Supported platforms include Windows 10, Windows 10 Mobile, Windows 10 IoT and possibly Xbox One.
Complete list of changes of version 2016 R2.1
- File Server: Added FileServer.Settings.ShowHiddenItems option that makes it possible to show file system items with 'hidden' flag from directory listings.
- File Server: Added experimental File Server binaries for Universal Windows Platform.
- File Server: Added support for extremely verbose incoming packet logging (log level 0).
- File Server: Fixed handling of connection protocol packets received during renegotiation.
- Networking: Fixed ProxySocket.ToEndPoint to throw a more meaningful exception for entries with no IP addresses.
- SSL: Fixed unreadable TLS debug log messages on Xamarin platforms.
- SSL: Added workarounds for bugs in Microsoft Schannel implementation of DHE_RSA_* ciphers related to incorrect padding processing.
- Cryptography: Fixed AsymmetricKeyAlgorithm.SignHash (in 2016 R2, it falls back to RSAManaged without trying to use RSACryptoServiceProvider first).
- Cryptography: Fixed CertificateIssuer.IssueRevocationList method that ignored signatureHashAlgorithm argument and always used SHA-1.
- Core: FileLogWriter on Windows Store 8.x / Universal Windows Platform is now thread-safe.
- Core: Fixed LocalItem(string) constructor on Windows Store 8.x / Universal Windows Platform.
- Core: Added workaround for broken handling of surrogate pairs when converting to "iso-8859-1" using System.Text.Encoding on Mono 4.x.
2016-06-30 Version 2016 R2 #
(build number 6026)
Support for Xamarin June 2016 Update
June 2016 update of Xamarin.iOS/Xamarin.Android/Xamarin.Mac introduced a breaking change in Mono.Security API
that broke compatibility with Rebex components. This issue has been solved in this release.
SHA-2 for all supported .NET Compact Framework platforms
SHA-1 is currently being deprecated (applies to X509 certificates, TLS/SSL and SSH),
which poses a problem for legacy .NET Compact Framework platforms based on editions
of Windows CE with no native SHA-2 support. To make solutions for these platforms compatible
with current TLS/SSL and SSH serves, we added a custom implementation of SHA-2 for these
Additional SSH host key algorithms
Support for 'x509v3-sign-dss', 'firstname.lastname@example.org' and 'email@example.com' host key algorithms
has been added to SFTP, SCP, SSH and File Server components.
Complete list of changes of version 2016 R2
- File Server: Enhanced error reporting when trying to delete non-empty directories.
- File Server: Fixed data buffering in SFTP subsystem.
- File Server: Ssh object now properly closes tunnel listeners when disposed.
- File Server: Added MaxSessionTransferredBytes and MaxSessionDuration settings to specify when to trigger session renegotiation.
- File Server: Added FileServer.Settings.UseLargeBuffers option.
- File Server: Added support for additional server authentication algorithms ('x509v3-sign-dss', 'firstname.lastname@example.org' and 'email@example.com').
- File Server: Fixed compatibility with Bitvise SSH Client related to text mode.
- File Server: Fixed error handling in SSH tunnel starter.
- File Server: Fixed possible NullReferenceException on connection failure.
- File Server: Added ClientSoftwareIdentifier to PreAuthenticationEventArgs and AuthenticationEventArgs.
- Networking: Increased default receive buffer size on Windows 8 and higher. Added related Proxy properties to make this configurable.
- Proxy: ProxySocket object's Connect method now uses the timeout value specified by the Timeout property.
- SSH: Added support for additional server authentication algorithms ('x509v3-sign-dss', 'firstname.lastname@example.org' and 'email@example.com').
- SSH: Disabled hmac-sha96 SSH cipher in FIPS mode (it's not compliant).
- SSH: Fixed error handling in queued background calls (mostly applies to session renegotiation).
- SSH: Fixed renegotiation handling to allow renegotiation while authenticating.
- SSH: Fixed DSA client certificate authentication.
- SSH: Enhanced interactive authentication support to handle uppercase password prompts.
- SSL: Enhanced SHA-2 support for .NET Compact Framework. SHA-256, SHA-384 and SHA-512 are now supported even on platforms with no native SHA-2 support.
- SSL: Added Settings.SslSession property to allow resuming specific TLS/SSL sessions.
- SSL: Fixed record layer 'protocol version' handling.
- SSL: Enhanced Diffie-Hellman key exchange logging.
- Cryptography: Fixed detection of native SHA-2 support in .NET Compact Framework version.
- Cryptography: Added support for more variants of OpenSSL/OpenSSH (SSLeay) key files.
- Cryptography: Fixed Certificate.Associate to work with DSA keys.
- Cryptography: Added CrlNumber property to CertificateRevocationList object.
- Cryptography: Added support for SHA-2 certificates to Certificate.VerifyHash in .NET 2.0 on Windows with FIPS-compliant mode enabled.
- Cryptography: Certificate.LoadPfx and CertificateChain.LoadPfx methods now specify Exportable options by default (in addition to UserKeySet).
- Cryptography: Added workaround for RSA implementations that reject rare signatures shorter than the key size.
- Core: Enhanced SSPI error messages.
- Core: Fixed LogWriterBase.Level default value.
- Core: Fixed compatibility issue in Xamarin edition (caused by a breaking change in June 2016 update of Xamarin).
2016-02-10 Version 2016 R1.1 #
(build number 5885)
Experimental assemblies for Xamarin.Mac
Added experimental binaries of most Rebex components (FTP/SSL, SFTP, File Server, Secure Mail, ZIP, Time, Security) for Xamarin.Mac platforms.
They are suitable for targeting Xamarin.Mac Mobile Framework and Xamarin.Mac .NET 4.5 Framework projects.
Experimental binaries of most Rebex components (FTP/SSL, SFTP, File Server, Secure Mail, ZIP, Time, Security) for
the Xamarin.Mac platform are now available. They are suitable for targeting both Xamarin.Mac Mobile and Xamarin.Mac .NET 4.5 Framework projects.
This release includes several hotfixes.
Complete list of changes of version 2016 R1.1
- SSH: Fixed seldom-used SshSession.Connect(string, int) method that was freezing since 2016 R1.
- SSH: Added workaround for older version of Bitvise server that don't properly handle SSH channel closing.
- SSH: Fixed handling of multi-line SSH banner messages.
- SSH: Fixed a bug in SSH channel window size adjustment.
- SSH: Fixed potential NullReferenceException error in SshSession.Dispose method.
- SSL: Disabled any usage of MD5 in TLS 1.2 to prevent SLOTH attacks.
2016-01-11 Version 2016 R1 #
(build number 5855)
SSH tunneling (port forwarding)
Supports for outgoing SSH tunnels (port forwarding) was added.
Mitigation of Logjam attacks
Check for minimum allowed Diffie-Hellman key size (1024 bits) has been added to SSH and TLS/SSL to mitigate Logjam attacks.
The minimum value can be changes using
File upload/download events in File Server
Added FileUploaded and FileDownloaded events to make it easier to track uploads and downloads.
Server certificate authentication in SSH
Rebex SFTP, Terminal Emulation and File Server now support X509 certificate host key algorithm, making it possible to authenticate servers using
a certificate instead of public key.
Enhanced virtual shell support
File Server's virtual shell infrastructure offers
Empty shell in addition
Scp shell. It provides no predefined commands (with the exception of
exit), making it simple to provide a custom set of commands instead.
Complete list of changes of version 2016 R1
- All: Added workaround for Xamarin.Android whose Dns.GetHostEntry resolves 'localhost' to device's external IP address.
- All: Rebex assemblies are now signed with SHA-256 signatures in addition to legacy SHA-1 signatures.
- File Server: Added port forwarding (TCP tunneling) support.
- File Server: Enhanced logging of handle-based file system operations (such as closing a file).
- File Server: IsRunning property added to Server/FileServer objects.
- File Server: Added FileUploaded/FileDownloaded events.
- File Server: Starting a server with no bindings now triggers an error.
- File Server: Fixed wrong session ID in SFTP error log entries.
- File Server: Fixed handling of empty folders on Windows CE.
- File Server: Fixed bad P/Invoke declaration (applies to Windows platforms).
- File Server: Enhanced error reporting in SFTP and SCP and fixed several wrong error codes.
- File Server: Fixed file delete operation that used to report success when deleting non-existent file on non-Windows platforms.
- File Server: Fixed compatibility issues with libssh2.
- File Server: Added proper data window size checks.
- File Server: Added workaround for wrong error code reported by Windows CE when deleting non-existent file.
- File Server: Added workaround for Open with Create+Read in .NET-based virtual file system.
- File Server: Fixed Unbind method that occasionally triggered an error.
- File Server: Added FileServerProtocol.Shell (replaces FileServerProtocol.Scp). Makes it possible to choose between SCP shell and empty shell when constructing a user object.
- File Server: Enhanced error handling during initialization. Early closed connections no longer leave the server in an unusable state.
- File Server: Added workaround for buggy (or malicious) clients that send incomplete disconnect requests.
- File Server: Added logging of successful and failed authentication attempts.
- File Server: Added workaround for Windows CE with missing Enhanced DSS and Diffie-Hellman Cryptographic Provider (managed and slow implementation of Diffie-Hellman is used in this case).
- File Server: Fixed FileServer constructor (used to fail when default charset was multi-byte but not UTF-8).
- File Server: Unified ShellCommandEventArgs.User and SshConsole.User types.
- File Server: Added support for certificate-based server authentication (using 'x509v3-sign-rsa algorithm').
- File Server: Enhanced key negotiation error logging.
- File Server: Added workaround for Xamarin.Android where it was possible to open a non-existing directory.
- Proxy: Fixed a bug in SOCKS4/SOCKS5 response reading code that triggered an infinite loop with buggy proxy servers.
- Proxy: Enhanced DNS resolution error messages.
- SSH: Enhanced interactive authentication support to make it possible to use AuthenticationRequest event to ask for username and password.
- SSH: Enhanced rejected authentication logging and error reporting.
- SSH: Added SshParameters.MinimumDiffieHellmanKeySize value (set to 1024 by default to mitigate Logjam attacks).
- SSH: No exception is thrown when the server aborts connection instead of closing it (unless a packet is being received).
- SSH: Enhanced 'no common algorithms' error message.
- SSH: Refactored SSH core to handle multi-thread scenarios more efficiently.
- SSH: Added certificate-based constructor to SshPublicKey class.
- SSH: Added support for certificate-based server authentication (using 'x509v3-sign-rsa algorithm').
- SSH: Fixed misleading error message when user interactive authentication attempt is rejected.
- SSH: Added support for one additional 'keyboard-interactive' authentication prompt ('Password for [user@server]:').
- SSH: Added Settings.PostponeChannelClose option to enable workaround for servers that send channel data or exit code after the channel has been closed.
- SSH: Added EnableSignaturePadding option that forces signature padding (workaround for SSH servers that got signature padding wrong).
- SSH: Added logging of debug messages received from SSH server.
- SSL: TLS 1.2 made compatible with Microsoft's implementation.
- SSL: Fixed client certificate authentication in TLS 1.2.
- SSL: Added Settings.SslMinimumDiffieHellmanKeySize value (set to 1024 by default to mitigate Logjam attacks).
- SSL: Added reliable detection of SHA-2 certificate support.
- Cryptography: Enhanced cryptographic provider initialization error message.
- Cryptography: Added workaround for PuTTY keys with bad data at the end.
- Core: Fixed multi-file operations to never modify input FileSet's BasePath.
- Core: ThreadPool is now used to handle background operations instead of a custom implementation.
- Core: Enhanced multithread operation support in log writers.
2015-08-24 Version 2015 R4.1 #
(build number 5715)
Fixed Xamarin mobile platform detection
Fixed platform detection code on Xamarin.iOS and Xamarin.Android.
Complete list of changes of version 2015 R4.1
- All: Fixed platform detection on Xamarin.Android and Xamarin.iOS.
- All: Version and platform added to assembly description.
2015-08-09 Version 2015 R4 #
(build number 5700)
Support for Windows 10, .NET Framework 4.6 and Visual Studio 2015
All Rebex components now ship with full support for Windows 10, .NET Framework 4.6
and Microsoft Visual Studio 2015.
Older Visual Studio versions (2005 and higher) and .NET Framework versions (2.0 and higher)
are still supported as well.
Faster TLS/SSL and SSH negotiation on Xamarin.Android
Our SSH and TLS/SSL libraries now use Java-based Diffie-Hellman on Xamarin.Android, which substantially speeds up SSH and TLS/SSL negotiation
when Diffie-Hellman algorithm is used.
Complete list of changes of version 2015 R4
- All: Enhanced platform detection code.
- File Server: Added support for UNC paths.
- File Server: Fixed issues with HMAC-SHA1 and HMAC-MD5 in FIPS-only mode.
- File Server: Added support for message authentication algorithms based on SHA-2 on .NET Compact Framework (when supported natively).
- File Server: Fixed handling of "empty" read requests (used to send back EOF instead of an empty block).
- File Server: Enhanced subsystem shutdown process to prevent exception messages in the log.
- File Server: LogLevel for SFTP filesystem errors lowered from Debug to Verbose.
- SSH: Added support for message authentication algorithms based on SHA-2 on .NET Compact Framework (when supported natively).
- SSH: Fixed NullReferenceException thrown by some SshSession properties (such as IsConnected) when not connected.
- SSH: SHA-2 is now the preferred message authentication algorithm.
- SSH: Added support for larger SSH packets.
- SSL: Unified status handling in ValidatingCertificate events and ICertificateVerifier interface.
- SSL: Enhanced TLS/SSL version mismatch handling.
- Cryptography: Fixed final empty block handling in Twofish/Blowfish/ArcTwo TransformFinalBlock with PKCS #7 padding.
- Cryptography: SSH and TLS/SSL now use Java-based Diffie-Hellman objects on Xamarin.Android platform to speed up negotiation.
- Core: Fixed end-of-line sequences in LogWriterBase, optimized FileLogWriter.
- Core: Added workaround for broken ASN.1 time values with the second part of "60".
2015-04-15 Version 2015 R3.1 #
(build number 5584)
File Server bugfixes
Two bugs have been fixed in Rebex File Server.
One bug caused errors in WinSCP while uploading files over SFTP, another bug made
it impossible to create files and directories whose names contained whitespaces when
uploading over SCP.
Complete list of changes of version 2015 R3.1
- File Server: Fixed SFTP file creation that was not compatible with WinSCP.
- File Server: Fixed SSH packet names in verbose log.
- File Server: Fixed handling of filenames with whitespaces in SCP.
- File Server: Disabled legacy "arcfour" SSH cipher by default.
- SSH: Disabled legacy "arcfour" SSH cipher by default.
- SSH: Fixed a bug that caused an algorithm list set by Settings.SshParameters.SetEncryptionAlgorithms to be ignored in FIPS-compliant mode.
2015-04-08 Version 2015 R3 #
(build number 5577)
New component - Rebex File Server
Rebex File Server is an SFTP, SCP and SSH server library.
It provides secure remote file system access over an SSH channel using the SFTP or SCP protocols
and makes it simple create an SFTP server that can be used by Rebex SFTP or any third-party SFTP, SCP or SSH client.
Supports .NET Framework, .NET Compact Framework, Mono, Xamarin.iOS and Xamarin.Android. Available as a standalone package or as a part
of Rebex File Transfer Pack, Rebex SSH Pack or Rebex Total Pack.
Complete list of changes of version 2015 R3
- All: Fixed Version property of Ftp, Imap, Pop3, Scp, Sftp, Smtp and Ssh classes to return a proper version number. Changed Ftp.Version to a static propery to match the other objects.
- File Server: Initial release.
- SSH: Enhanced some authentication error messages.
- SSL: Disabled ciphers based on RC4 to prevend Bar Mitzvah attack on TLS/SSL.
- Cryptography: Enhanced weak signature algorithm detection during certificate validation on Xamarin.iOS.
- Core: Connect methods no longer require FileIOPermission (used to determine the assembly version for a log).