Disable TLS 1.0 & 1.1

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
PonchoHobono
500 Command not understood
Posts: 2
Joined: 2020-04-20 23:27
First name: Poncho
Last name: Hobono

Disable TLS 1.0 & 1.1

#1 Post by PonchoHobono » 2020-04-20 23:49

Is there a way to disable TLS 1.0 & 1.1 in FileZilla server to make it only use TLS 1.2? I'm running the latest version 0.9.60.2.

Thank you.

User avatar
boco
Contributor
Posts: 25330
Joined: 2006-05-01 03:28
Location: Germany

Re: Disable TLS 1.0 & 1.1

#2 Post by boco » 2020-04-20 23:58

Not through the GUI, only by editing the "FileZilla Server.xml" config file directly.

Set the minimum TLS version to 2.

Code: Select all

        <Item name="Minimum TLS version" type="numeric">2</Item>
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

PonchoHobono
500 Command not understood
Posts: 2
Joined: 2020-04-20 23:27
First name: Poncho
Last name: Hobono

Re: Disable TLS 1.0 & 1.1

#3 Post by PonchoHobono » 2020-04-21 00:21

Thank you for the quick response. Looks like that worked. Thank you!

rossh
550 File not found
Posts: 35
Joined: 2013-03-11 09:46
First name: Ross

Re: Disable TLS 1.0 & 1.1

#4 Post by rossh » 2020-11-02 02:35

Hi,

How do we apply the above fix to the client?

My Server with IIS is configured to only use TLS 1.2 (or more). But the FZ client initial attempts at connecting (implicit FTP over TLS) is done at the TLS 1.0 level (Client hello packet). This is met with a hard fail from the server pushing an immediate FIN,ACK.

So how to configure the FZ client to start at the 1.2 level?

Thanks.

User avatar
botg
Site Admin
Posts: 33238
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Disable TLS 1.0 & 1.1

#5 Post by botg » 2020-11-02 08:42

Faulty server, it is ignoring a hard MUST from RFC 8446 section 5.1:
legacy_record_version: MUST be set to 0x0303 for all records
generated by a TLS 1.3 implementation other than an initial
ClientHello (i.e., one not generated after a HelloRetryRequest),
where it MAY also be 0x0301 for compatibility purposes. This
field is deprecated and MUST be ignored for all purposes.

Previous versions of TLS would use other values in this field
under some circumstances.

rossh
550 File not found
Posts: 35
Joined: 2013-03-11 09:46
First name: Ross

Re: Disable TLS 1.0 & 1.1

#6 Post by rossh » 2020-11-03 01:05

Hi,

Yes, the problem turned out to be something else - virtual host names and internal binding errors at the server. Sorry for the miss direction.


I know you have done many laps trying to address all the issues in TLS across the board.

I did some further digging with Wireshark. I see that FZ client offers up about 29 ciphers in its client hello. FZ client hello packet attempts to offer itself as TLS 1.2 (0x0303), but Wireshark defines and downgrades the Record Layer handshake protocol to a TLS 1.0 standard. I imagine its because many of those 29 ciphers are not suitable for use in TLS 1.2.

If we take a look at a Firefox or Chrome browser doing a TLS handshake and the Client hello packet, we see it offers about 13 ciphers, and all in the TLS 1.2 or better category. Browsers went to minimum TLS 1.2 and depreciated TLS 1.0 in June and September this year. Naturally, servers will follow suit.

I thought I could get the Debug priority string to work some magic. In default mode, it lists the same 29 ciphers it offers in the client hello packet, and many are for use in TLS 1.0 only. If I use the priority string SECURE256, then the list shows 13 ciphers, all TLS 1.2 or better. But this priority string setting does not seem to make it into the client hello packet - the client hello packet stays with the default 29 ciphers.


How do we force the FZ client to step up to be a minimum TLS 1.2 ++ only client?

Thanks.

User avatar
botg
Site Admin
Posts: 33238
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Disable TLS 1.0 & 1.1

#7 Post by botg » 2020-11-03 13:14

There is currently no way short of modifying libfilezilla.

rossh
550 File not found
Posts: 35
Joined: 2013-03-11 09:46
First name: Ross

Re: Disable TLS 1.0 & 1.1

#8 Post by rossh » 2020-11-04 07:44

OK, well editing the default Priority string in libfilezilla-10.dll is not effective, as the files digital signatures are damaged (tried it).

How about adding this TLS 1.2++ only as an option, or as a manual override setting we put in the .xml file?

Or maybe a way to make the debug Priority string both work, and remain sticky through restarts?

Many thanks.

Post Reply