Why is Nextcloud still trying to use the legacy cipher?

Would someone who actually works on Nextcloud finally, at long last, explain to me why Nextcloud (v28.0.2 as of this writing) still tries to use the legacy cipher, and that with 'encryption.legacy_format_support' => false and occ encryption:scan:legacy-format returning All scanned files are properly encrypted. You can disable the legacy compatibility mode?

{“reqId”:“G92cLiGhvbhFdqglWp41”,“level”:3,“time”:“2024-02-02T14:20:36+00:00”,“remoteAddr”:“62.178.177.26”,“user”:“–”,“app”:“no app in context”,“method”:“GET”,“url”:“/s/GYtaPdsoooPE2gB/download?path=&files=”,“message”:“Exception thrown: OC\ServerNotAvailableException”,“userAgent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0”,“version”:“28.0.2.5”,“exception”:{“Exception”:“OC\ServerNotAvailableException”,“Message”:“Legacy cipher is no longer supported!”,“Code”:0,“Trace”:[{“file”:“/var/www/clients/client1/web1/web/apps/encryption/lib/Crypto/Crypt.php”,“line”:378,“function”:“getLegacyCipher”,“class”:“OCA\Encryption\Crypto\Crypt”,“type”:“->”},{“file”:“/var/www/clients/client1/web1/web/apps/encryption/lib/KeyManager.php”,“line”:404,“function”:“decryptPrivateKey”,“class”:“OCA\Encryption\Crypto\Crypt”,“type”:“->”,“args”:[“*** sensitive parameters replaced ***”]},{“file”:“/var/www/clients/client1/web1/web/apps/encryption/lib/Crypto/Encryption.php”,“line”:478,“function”:“getFileKey”,“class”:“OCA\Encryption\KeyManager”,“type”:“->”},{“file”:“/var/www/clients/client1/web1/web/lib/private/Files/Storage/Wrapper/Encryption.php”,“line”:354,“function”:“isReadable”,“class”:“OCA\Encryption\Crypto\Encryption”,“type”:“->”},{“file”:“/var/www/clients/client1/web1/web/lib/private/Files/Storage/Wrapper/Wrapper.php”,“line”:173,“function”:“isReadable”,“class”:“OC\Files\Storage\Wrapper\Encryption”,“type”:“->”},{“file”:“/var/www/clients/client1/web1/web/lib/private/Files/View.php”,“line”:1161,“function”:“isReadable”,“class”:“OC\Files\Storage\Wrapper\Wrapper”,“type”:“->”},{“file”:“/var/www/clients/client1/web1/web/lib/private/Files/View.php”,“line”:488,“function”:“basicOperation”,“class”:“OC\Files\View”,“type”:“->”},{“file”:“/var/www/clients/client1/web1/web/lib/private/Files/Filesystem.php”,“line”:529,“function”:“isReadable”,“class”:“OC\Files\View”,“type”:“->”},{“file”:“/var/www/clients/client1/web1/web/lib/private/legacy/OC_Files.php”,“line”:343,“function”:“isReadable”,“class”:“OC\Files\Filesystem”,“type”:“::”},{“file”:“/var/www/clients/client1/web1/web/lib/private/legacy/OC_Files.php”,“line”:122,“function”:“getSingleFile”,“class”:“OC_Files”,“type”:“::”},{“file”:“/var/www/clients/client1/web1/web/apps/files_sharing/lib/Controller/ShareController.php”,“line”:487,“function”:“get”,“class”:“OC_Files”,“type”:“::”},{“file”:“/var/www/clients/client1/web1/web/lib/private/AppFramework/Http/Dispatcher.php”,“line”:230,“function”:“downloadShare”,“class”:“OCA\Files_Sharing\Controller\ShareController”,“type”:“->”},{“file”:“/var/www/clients/client1/web1/web/lib/private/AppFramework/Http/Dispatcher.php”,“line”:137,“function”:“executeController”,“class”:“OC\AppFramework\Http\Dispatcher”,“type”:“->”},{“file”:“/var/www/clients/client1/web1/web/lib/private/AppFramework/App.php”,“line”:184,“function”:“dispatch”,“class”:“OC\AppFramework\Http\Dispatcher”,“type”:“->”},{“file”:“/var/www/clients/client1/web1/web/lib/private/Route/Router.php”,“line”:315,“function”:“main”,“class”:“OC\AppFramework\App”,“type”:“::”},{“file”:“/var/www/clients/client1/web1/web/lib/base.php”,“line”:1069,“function”:“match”,“class”:“OC\Route\Router”,“type”:“->”},{“file”:“/var/www/clients/client1/web1/web/index.php”,“line”:39,“function”:“handleRequest”,“class”:“OC”,“type”:“::”}],“File”:“/var/www/clients/client1/web1/web/apps/encryption/lib/Crypto/Crypt.php”,“Line”:301,“CustomMessage”:“Exception thrown: OC\ServerNotAvailableException”},“id”:“65bcfa3e670c8”}

You tagged this as end-to-end-encryption, but this error, the stack trace, and your commands are about server-side encryption. Noting in case you are using end-to-end (in which case this is very different problem).

It looks like this particular code path only gets triggered if the file in question lacks an encryption header. The fallback is to assume it’s a really ancient encryption mode (from OC6 days[1]). Can you look at the raw file on-disk to see if it has a header?

P.S. Try to enclose posted stack traces in a preformatted text block so they’re more readable and can be copy and pasted cleanly to json formatting tools by those trying to help you.

[1] server/apps/encryption/lib/Crypto/Encryption.php at 5a8cc42eb26cf9a31187ca8efc91405cc15d8e6d · nextcloud/server · GitHub

Please pardon the incorrect tag. There isn’t one for server-side encryption, for some reason.

It’s not a new share. It’s a file I uploaded yesterday, and created a new share link for yesterday, with legacy format support disabled.

It is true, however, that I’m a longtime Nextcloud user, and this instance was migrated from OwnCloud.

Would a file without an encryption header show up in the occ encryption:scan:legacy-format scan? None do.

Because that’s how you’ve chosen to configure your web server. This has nothing to do with Nextcloud.

Visit this SSL Configuration generator. It will help you choose a more up to date cipher suite in a format that suits whatever web server you use.

Why is it that the most ignorant always frame every question such that someone else is at fault. I mean, you could have asked, “How do I stop using a legacy cipher” or “How can I update/upgrade the cipher I use for Nextcloud”.

But you didn’t. Your ignorance assumes you’re in the right, others are stupid, and that you’re a victim of other’s stupidity.

@DarkSteve, I appreciate your no-doubt well-intentioned reply, but this has nothing to do with SSL configuration for the Apache server running behind Nextcloud. It’s about server-side encryption performed by Nextcloud itself, as @jtr already recognized.