FTP explicit TLS connection problem with some minimal TLS versions

Advertisement

vankom
Guest

FTP explicit TLS connection problem with some minimal TLS versions

winscp632 (win10): default setting for explicit TLS is Minimal version TLS 1.2 (test3)
test1: min version TLS 1.0, wireshark reports Client Hello TLSv12 connection OK
test2: min version TLS 1.1, wireshark reports Client Hello TLSv12 connection OK
test3: min version TLS 1.2, wireshark reports Client Hello TLSv1, Server closed connection (no shared ciphers)
test4: min version TLS 1.3, wireshark reports Client Hello TLSv1, Server closed conenction (no shared ciphers)
Could you explain, why wireshark reports Client Hello TLSv1, when I ser TLS 1.2/1.3 ?

Reply with quote

Advertisement

vankom
Guest

winscp5.21.8portable (win10):
test1: min version TLS 1.0, wireshark reports Client Hello TLSv12, connection OK
test2: min version TLS 1.1, wireshark reports Client Hello TLSv12, connection OK
test3: min version TLS 1.2, wireshark reports Client Hello TLSv12, connection OK
test4: min version TLS 1.3, wireshark reports Client Hello TLSv1, Server closed conenction (no shared ciphers)

Reply with quote

vankom
Guest

FTP explicit TLS connection problem with some minimal TLS versions

I think thist part of setting-vs-using need rework. Also missing default value in RAW options is confused (if you setup non-default value, then configuration options is in config). Developers, please, take a look at this.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,518
Location:
Prague, Czechia

Re: FTP explicit TLS connection problem with some minimal TLS versions

I'm sorry, but I do not understand your last post. Can you please try again? Can you describe step-by-step what are you doing and how did it go wrong?

Reply with quote

Advertisement

martin
Site Admin
martin avatar

Re: FTP explicit TLS connection problem with some minimal TLS versions

Of course that I've looked at them. But I still do not understand it. Please explain.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,518
Location:
Prague, Czechia

Re: FTP explicit TLS connection problem with some minimal TLS versions

Please attach a full session log file showing the problem (using the latest version of WinSCP).

To generate the session log file, enable logging, log in to your server and do the operation and only the operation that causes the error. Submit the log with your post as an attachment. Note that passwords and passphrases not stored in the log. You may want to remove other data you consider sensitive though, such as host names, IP addresses, account names or file names (unless they are relevant to the problem). If you do not want to post the log publicly, you can mark the attachment as private.

Reply with quote

vankom
Guest

FTP explicit TLS connection problem with some minimal TLS versions

Test logs (version TLSmin-TLSmax)
WinSCP Version 5.21.8 TLSv1.2-TLSv1.2.log working
WinSCP Version 6.1.2 TLSv1.2-TLSv1.2.log working
WinSCP Version 6.2 beta TLSv1.2-TLSv1.2.log error
WinSCP Version 6.3.3 TLSv1.2-TLSv1.2.log error
WinSCP Version 6.3.3 TLSv1.1-TLSv1.2.log working
I found that problem is since version 6.2 beta.
If I compare log 6.1.2 TLSv1.2-TLSv1.2 and 6.3.3 TLSv1.1-TLSv1.2 they look identical.
Why is 6.3.3 TLSv1.2-TLSv1.2 not working?

Reply with quote

Advertisement

martin
Site Admin
martin avatar

Re: FTP explicit TLS connection problem with some minimal TLS versions

Thanks. Is you server publicly accessible on the Internet? Can we get a full hostname, so that we can test on our own? (no credentials are needed)

Reply with quote

vankom
Guest

Re: FTP explicit TLS connection problem with some minimal TLS versions

I can not give you access. I make pcaps to compare differencies.
Nemozem ti dat pristup. Spravim pcaps, aby sa zistili rozdiely.

Reply with quote

vankom
Guest

Re: FTP explicit TLS connection problem with some minimal TLS versions - SHA1 problem

I found cause (tcpdump analysis)
WinSCP Version 6.3.3 TLSv1.2-TLSv1.2.log error
-Signature Hash Algorithms (23 algorithms)
-SHA1 support is missing
WinSCP Version 6.3.3 TLSv1.1-TLSv1.2.log working
-Signature Hash Algorithms (26 algorithms)
-SHA1 is supported (algorithms 0x201, 0x202, 0x203)
It is caused by OpenSSL 3.1.3
* X509 certificates signed using SHA1 are no longer allowed at security level 1 and above.
Solution: We make new server certificate with current security standards.
Thank you for conversation.

Reply with quote

vankom
Guest

Re: FTP explicit TLS connection problem with some minimal TLS versions - SHA1 problem

Just final confirmation:
After changing server certificate from SHA1 to SHA256 is connection working in all version mentioned above.
Thank you, this case is solved.

Reply with quote

Advertisement

martin
Site Admin
martin avatar

Re: FTP explicit TLS connection problem with some minimal TLS versions - SHA1 problem

Thanks for sharing your solution!

Reply with quote

Advertisement

You can post new topics in this forum