Can't connect to Windows Server 2012 (IIS 8) FTP when using

[botg]

Specifically RC4 128/128, TripDES 168/168, AES 128/128, AES 256/256 only.

That are encryption algorithms.

For a cipher suite, you also need a (H)MAC, a key exchange algorithm and for block ciphers, an operation mode. Please provide a full list of all enabled cipher suites.

For reference, these are the ciphers supported by the TLS library used by FileZilla and allowed by FileZilla:

ECDHE_ECDSA_AES_256_CBC_SHA384
ECDHE_ECDSA_AES_256_CBC_SHA1
ECDHE_ECDSA_AES_256_GCM_SHA384
ECDHE_ECDSA_AES_128_CBC_SHA256
ECDHE_ECDSA_AES_128_CBC_SHA1
ECDHE_ECDSA_AES_128_GCM_SHA256
ECDHE_RSA_AES_256_CBC_SHA1
ECDHE_RSA_AES_256_GCM_SHA384
ECDHE_RSA_AES_128_CBC_SHA256
ECDHE_RSA_AES_128_CBC_SHA1
ECDHE_RSA_AES_128_GCM_SHA256
DHE_RSA_AES_256_CBC_SHA256
DHE_RSA_AES_256_CBC_SHA1
DHE_RSA_CAMELLIA_256_CBC_SHA1
DHE_RSA_AES_128_CBC_SHA256
DHE_RSA_AES_128_CBC_SHA1
DHE_RSA_CAMELLIA_128_CBC_SHA1
DHE_RSA_AES_128_GCM_SHA256
DHE_DSS_AES_256_CBC_SHA256
DHE_DSS_AES_256_CBC_SHA1
DHE_DSS_CAMELLIA_256_CBC_SHA1
DHE_DSS_AES_128_CBC_SHA256
DHE_DSS_AES_128_CBC_SHA1
DHE_DSS_CAMELLIA_128_CBC_SHA1
DHE_DSS_AES_128_GCM_SHA256
DHE_DSS_ARCFOUR_SHA1
RSA_AES_256_CBC_SHA256
RSA_AES_256_CBC_SHA1
RSA_CAMELLIA_256_CBC_SHA1
RSA_AES_128_CBC_SHA256
RSA_AES_128_CBC_SHA1
RSA_CAMELLIA_128_CBC_SHA1
RSA_AES_128_GCM_SHA256
RSA_ARCFOUR_SHA1

[rossh]

Specifically RC4 128/128, TripDES 168/168, AES 128/128, AES 256/256 only.

That are encryption algorithms.

For a cipher suite, you also need a (H)MAC, a key exchange algorithm and for block ciphers, an operation mode. Please provide a full list of all enabled cipher suites.

Yes.

2008 R2, limited to PCI, it does all those combinations above with RC4 128, 3xDES, AES 128 and 256 - about 20 available in total in 2008R2. But for some reasons, Filezilla and 2008R2 using MS's FTP server, do not get along.

****

Update Mar 21. According to https://www.ssllabs.com/ssltest/ the server offers up these ciphers:

TLS_RSA_WITH_RC4_128_SHA (0x5) 128
TLS_RSA_WITH_RC4_128_MD5 (0x4) 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) 256


********* Update 2

I found / modified a shell script that went through every available openssl cipher and tested it against the server. These cipher names come directly out of openssl v1.01. From the list below, and those on you list above, FileZilla Client and MS FTP server in PCI compliant mode, will agree on these ciphers only: NONE

Note the numerous naming conflicts between all the different lists. (- vs _, AES256 vs AES_256). I think this is where a lot of issues arise.


$ ./ssl_ciphers.sh
Obtaining cipher list from OpenSSL 1.0.1e 11 Feb 2013.
Testing ECDHE-RSA-AES256-GCM-SHA384 NO
Testing ECDHE-ECDSA-AES256-GCM-SHA384 NO
Testing ECDHE-RSA-AES256-SHA384 NO
Testing ECDHE-ECDSA-AES256-SHA384 NO
Testing ECDHE-RSA-AES256-SHA YES
Testing ECDHE-ECDSA-AES256-SHA NO
Testing SRP-DSS-AES-256-CBC-SHA NO
Testing SRP-RSA-AES-256-CBC-SHA NO
Testing DHE-DSS-AES256-GCM-SHA384 NO
Testing DHE-RSA-AES256-GCM-SHA384 NO
Testing DHE-RSA-AES256-SHA256 NO
Testing DHE-DSS-AES256-SHA256 NO
Testing DHE-RSA-AES256-SHA NO
Testing DHE-DSS-AES256-SHA NO
Testing DHE-RSA-CAMELLIA256-SHA NO
Testing DHE-DSS-CAMELLIA256-SHA NO
Testing AECDH-AES256-SHA NO
Testing SRP-AES-256-CBC-SHA NO
Testing ADH-AES256-GCM-SHA384 NO
Testing ADH-AES256-SHA256 NO
Testing ADH-AES256-SHA NO
Testing ADH-CAMELLIA256-SHA NO
Testing ECDH-RSA-AES256-GCM-SHA384 NO
Testing ECDH-ECDSA-AES256-GCM-SHA384 NO
Testing ECDH-RSA-AES256-SHA384 NO
Testing ECDH-ECDSA-AES256-SHA384 NO
Testing ECDH-RSA-AES256-SHA NO
Testing ECDH-ECDSA-AES256-SHA NO
Testing AES256-GCM-SHA384 NO
Testing AES256-SHA256 YES
Testing AES256-SHA YES
Testing CAMELLIA256-SHA NO
Testing PSK-AES256-CBC-SHA NO
Testing ECDHE-RSA-DES-CBC3-SHA NO
Testing ECDHE-ECDSA-DES-CBC3-SHA NO
Testing SRP-DSS-3DES-EDE-CBC-SHA NO
Testing SRP-RSA-3DES-EDE-CBC-SHA NO
Testing EDH-RSA-DES-CBC3-SHA NO
Testing EDH-DSS-DES-CBC3-SHA NO
Testing AECDH-DES-CBC3-SHA NO
Testing SRP-3DES-EDE-CBC-SHA NO
Testing ADH-DES-CBC3-SHA NO
Testing ECDH-RSA-DES-CBC3-SHA NO
Testing ECDH-ECDSA-DES-CBC3-SHA NO
Testing DES-CBC3-SHA NO
Testing DES-CBC3-MD5 NO
Testing PSK-3DES-EDE-CBC-SHA NO
Testing ECDHE-RSA-AES128-GCM-SHA256 NO
Testing ECDHE-ECDSA-AES128-GCM-SHA256 NO
Testing ECDHE-RSA-AES128-SHA256 YES
Testing ECDHE-ECDSA-AES128-SHA256 NO
Testing ECDHE-RSA-AES128-SHA YES
Testing ECDHE-ECDSA-AES128-SHA NO
Testing SRP-DSS-AES-128-CBC-SHA NO
Testing SRP-RSA-AES-128-CBC-SHA NO
Testing DHE-DSS-AES128-GCM-SHA256 NO
Testing DHE-RSA-AES128-GCM-SHA256 NO
Testing DHE-RSA-AES128-SHA256 NO
Testing DHE-DSS-AES128-SHA256 NO
Testing DHE-RSA-AES128-SHA NO
Testing DHE-DSS-AES128-SHA NO
Testing DHE-RSA-SEED-SHA NO
Testing DHE-DSS-SEED-SHA NO
Testing DHE-RSA-CAMELLIA128-SHA NO
Testing DHE-DSS-CAMELLIA128-SHA NO
Testing AECDH-AES128-SHA NO
Testing SRP-AES-128-CBC-SHA NO
Testing ADH-AES128-GCM-SHA256 NO
Testing ADH-AES128-SHA256 NO
Testing ADH-AES128-SHA NO
Testing ADH-SEED-SHA NO
Testing ADH-CAMELLIA128-SHA NO
Testing ECDH-RSA-AES128-GCM-SHA256 NO
Testing ECDH-ECDSA-AES128-GCM-SHA256 NO
Testing ECDH-RSA-AES128-SHA256 NO
Testing ECDH-ECDSA-AES128-SHA256 NO
Testing ECDH-RSA-AES128-SHA NO
Testing ECDH-ECDSA-AES128-SHA NO
Testing AES128-GCM-SHA256 NO
Testing AES128-SHA256 YES
Testing AES128-SHA YES
Testing SEED-SHA NO
Testing CAMELLIA128-SHA NO
Testing RC2-CBC-MD5 NO
Testing PSK-AES128-CBC-SHA NO
Testing ECDHE-RSA-RC4-SHA NO
Testing ECDHE-ECDSA-RC4-SHA NO
Testing AECDH-RC4-SHA NO
Testing ADH-RC4-MD5 NO
Testing ECDH-RSA-RC4-SHA NO
Testing ECDH-ECDSA-RC4-SHA NO
Testing RC4-SHA YES
Testing RC4-MD5 YES
Testing RC4-MD5 YES
Testing PSK-RC4-SHA NO
Testing EDH-RSA-DES-CBC-SHA NO
Testing EDH-DSS-DES-CBC-SHA NO
Testing ADH-DES-CBC-SHA NO
Testing DES-CBC-SHA NO
Testing DES-CBC-MD5 NO
Testing EXP-EDH-RSA-DES-CBC-SHA NO
Testing EXP-EDH-DSS-DES-CBC-SHA NO
Testing EXP-ADH-DES-CBC-SHA NO
Testing EXP-DES-CBC-SHA NO
Testing EXP-RC2-CBC-MD5 NO
Testing EXP-RC2-CBC-MD5 NO
Testing EXP-ADH-RC4-MD5 NO
Testing EXP-RC4-MD5 NO
Testing EXP-RC4-MD5 NO
Testing ECDHE-RSA-NULL-SHA NO
Testing ECDHE-ECDSA-NULL-SHA NO
Testing AECDH-NULL-SHA NO
Testing ECDH-RSA-NULL-SHA NO
Testing ECDH-ECDSA-NULL-SHA NO
Testing NULL-SHA256 NO
Testing NULL-SHA NO
Testing NULL-MD5 NO

[botg]

The naming is for mere humans. The internal data structures do not have dashes and underscores, so that's not a problem.

Interestingly, in your second list, for all supported ciphers no mode of operation is given (e.g. CBC). How does it operate then? If none is given, assume the worst: ECB? Why are the ciphers with CBC disabled?

[rossh]

The naming is for mere humans. The internal data structures do not have dashes and underscores, so that's not a problem.

Interestingly, in your second list, for all supported ciphers no mode of operation is given (e.g. CBC). How does it operate then? If none is given, assume the worst: ECB? Why are the ciphers with CBC disabled?

I have no idea why. I just used a script that asked openssl for all its known ciphers. Then it steps through these one by one and tries to make an ssl connection to our server (which is limited to the PCI approved ones I indicated above). The outcome is success or fail. The end result is no match for any of the ciphers from 3.6.0.2.

The server is setup using this tool to control the ciphers / protocols it offers:
https://www.nartac.com/Products/IISCrypto/Default.aspx

Hope this helps. If some one want to compile Filezilla with more ciphers included, contact me and I will provide a test server.

[rossh]

Thinking about this some more, I realize now that checking the SSL is not quite the same thing. In explicit SSL FTP, it starts out as plain text conversation. Its when the Client says AUTH TLS, that the SSL negotiation begins. With that in mind, here below is the Wireshark trace of the conversation, asd viewed from the server. If someone would like to match the hex up to the record data that a TLS negotiation should begin with, here it is

Code: Select all

    00000000  32 32 30 20 4d 69 63 72  6f 73 6f 66 74 20 46 54 220 Micr osoft FT
    00000010  50 20 53 65 72 76 69 63  65 0d 0a                P Servic e..

00000000  41 55 54 48 20 54 4c 53  0d 0a                   AUTH TLS ..

    0000001B  32 33 34 20 41 55 54 48  20 63 6f 6d 6d 61 6e 64  234 AUTH  command
    0000002B  20 6f 6b 2e 20 45 78 70  65 63 74 69 6e 67 20 54  ok. Exp ecting T
    0000003B  4c 53 20 4e 65 67 6f 74  69 61 74 69 6f 6e 2e 0d  LS Negot iation..
    0000004B  0a                                               .

0000000A  16 03 00 00 a9 01 00 00  a5 03 03 51 51 c9 40 5e ........ ...QQ.@^
0000001A  85 c9 81 99 1b b5 df d8  9f 8c 8d ba 26 45 0a 1e ........ ....&E..
0000002A  20 fd 18 1c ae 38 61 e4  41 18 22 00 00 44 c0 24  ....8a. A."..D.$
0000003A  c0 0a c0 2c c0 23 c0 09  c0 2b c0 14 c0 30 c0 27 ...,.#.. .+...0.'
0000004A  c0 13 c0 2f 00 6b 00 39  00 88 00 67 00 33 00 45 .../.k.9 ...g.3.E
0000005A  00 9e 00 6a 00 38 00 87  00 40 00 32 00 44 00 a2 ...j.8.. .@.2.D..
0000006A  00 66 00 3d 00 35 00 84  00 3c 00 2f 00 41 00 9c .f.=.5.. .<./.A..
0000007A  00 05 01 00 00 38 00 05  00 05 01 00 00 00 00 ff .....8.. ........
0000008A  01 00 01 00 00 23 00 00  00 0a 00 08 00 06 00 18 .....#.. ........
0000009A  00 19 00 17 00 0b 00 02  01 00 00 0d 00 10 00 0e ........ ........
000000AA  05 01 05 03 06 01 06 03  04 01 04 02 04 03       ........ ......

The packet following these 4 is the server closing the socket, due to no matching cipher. What ever FileZilla is saying in that last packet, the server can't agree.


I should add that 2 competing FTP programs all manage to work in this situation. Hope this helps.

[botg]

Can you please post a screenshot of the tool you linked that shows the PCI settings?

[rossh]

Can you please post a screenshot of the tool you linked that shows the PCI settings?

pci_tls-setup.png (89.89 KiB) Viewed 8371 times

[botg]

Is suspect it may not have anything to do with ciphers. That tool configures other settings as well. Try re-enabling all protocols.

[rossh]

Is suspect it may not have anything to do with ciphers. That tool configures other settings as well. Try re-enabling all protocols.

It does work with all the (weak) ciphers (default). But this server MUST be run in PCI compliant mode - which is what you see in the screen shots above. Filezilla needs to step up and support the more complex and secure ciphers. The server will not be permitted to support the older (now un-secure) ciphers. This is where the world is headed, and we will find more servers turning off older ciphers. FileZilla needs to keep up.

[botg]

Not ciphers, protocols. Top-left corner in the screenshot.

[rossh]

Not ciphers, protocols. Top-left corner in the screenshot.

Well the main points being:

1/ This setup is the way its going to be for all servers eventually. Its also REQUIRED by any server that works with credit card details.
2/ Other competing FTP client programs can and do work with this TLS setup.
3/ Filezilla fails due to lack of cipher / negotiation support, or maybe just a simple bug.


If you want to work with me to get Filezilla up to current standards, then lets do it. If however, you just want to shoot the messenger, then I'm afraid its been a waste of time.

[botg]

Did you at least test what I suggested, to re-eneable the protocols (not the ciphers)?

[rossh]

Did you at least test what I suggested, to re-eneable the protocols (not the ciphers)?

I press the PCI button. It sets the appropriate options. All those others items get unselected. That is it. Loosening the settings to make way for old programs, is not going to happen.

The protocol being used here is 1.2. Anything less than 3.0/1.0 is flawed, and that's why its not permitted. Isn't the protocol choice a OS / SSL function, and not program related?

You can see the list of ciphers available per above. The https://www.ssllabs.com/ server test reveals all available. If you use it to check a few good banks or payment services, you see the same results that I get.

[boco]

You should only temporary enable all for a test (if it's a generic or indeed a cipher suite problem). If it works with all protocols selected (but the same limited ciphers) that would meant a protocol issue rather than a cipher one.

Nobody wants you to leave it at that setting.

[rossh]

OK, so I spent some time fiddling. Filezilla will work when limited to TLS 1.0, in this PCI limited cipher mode. It will fail on a TLS 1.2 connection. So it would seem to be a TLS protocol issue - not able to run in 1.2 mode.