How to force disabling version 1.3 of TLS protocol and force version 1.2 instead on FileZilla Server ?

[Ateliers_CYM]

Hello everybody,

I've setup a FileZilla Server version 1.6.7 on a Windows 2022 server machine. By default the TLS version which is used is 1.3.
One of my customer uses an home made FTP client on a Windows 2019 server, which does not support protocol TLS 1.3, only version 1.2.

When someone logs onto my FileZilla Server he receives a proposal for accepting the TLS certificate, where the version of the protocol used is indicated and is TLS 1.3.

So I tried to disable the version 1.3 and enable version 1.2 instead, by changing the registry and reboot.

But the version used does not change, it is still version 1.3.


So my question is simple : how to force disabling version 1.3 of TLS protocol and force version 1.2 instead on FileZilla Server itself, or on the machine which hosts the FileZilla Server ?

Many thanks in advance,

Cheers,
Cyril

[oibaf]

FileZilla Server can be configured to require a minimum TLS version, not a maximum. This means that FileZilla Server will refuse to establish a connection which doesn't support a TLS version higher than or equal to than the one that FileZilla Server is instructed to require as a minimum.

Therefore, all you can do on FileZilla is to set the minimum required TLS version to 1.2. FileZilla Server will still propose to agree to TLS version 1.3, then it's up to the client to respond with its own desired version, which should then be 1.2. FileZilla Server will then agree to that.

To recap: it's the client's duty to respond to that FileZilla Server proposal appropriately.

So I tried to disable the version 1.3 and enable version 1.2 instead, by changing the registry and reboot.

There's no need to change the registry to set the minimum TLS version in FileZilla Server, you just need to do it from the Administration UI. FileZilla Server uses the registry only to store information about its own install paths and other installer-related things, not for its runtime activities. Also, there's no need to reboot.

[Ateliers_CYM]

Thank you Fabio, for your answer.
I'ts clearer now, even if (in our case at least, where the FTP client is handmade) it should have been userful to be able to setup both minimum and maximum TLS versions in the FilezillaServer interface.
Cheers,
Cyril

[boco]

It doesn't make sense to set a maximum TLS version in the server, security-wise. The other clients are working fine, why artificially downgrade them to the less-advanced TLS 1.2? The supported TLS versions must be negotiated between the client and server during the handshake, and the highest version supported by both will be used. Thus, if the client indicates that it only supports 1.2, it is automatically used.

[botg]

In other words, if TLS 1.3 is being negotiated, it only is because the client is in fact advertising support for it.

[Ateliers_CYM]

Thank you all, guys.
I think my problem is located somewhere else...
According to my present understanding of the siutuation (and dozens of tests on other similar setups) I think my particular Filezilla client does not get properly the server's certificate.
I made another post, this time to ask how to force the client to ask for a certificate : viewtopic.php?f=2&t=55755.
I hope to get answers (and not boring you all...)
Thaks, again,
Cheers,
Cyril