Opened 2 months ago

Closed 2 months ago

Last modified 2 months ago

#12579 closed Bug report (invalid)

version 3.56 minimum TLS version setting stuck at "2"

Reported by: Thomas Kite Sharpless Owned by:
Priority: normal Component: FileZilla Client
Keywords: TLS Cc:
Component version: 3.56 Operating system type: Windows
Operating system version: 10 home 2004

Description

  1. 3.56.2 pulls 'Gnu TLS error -8: unsupported version" when connecting to a site whose highest active TLS version is 1.2. filezilla.xml has this:
3.56.0-rc1 (2021-09-29)

+ Right-clicking a queue tab header now opens the same context menu as right-clicking the correponding queue contents
+ By default, the minimum allowed TLS version is now TLS 1.2
+ Optionally, the systen trust store can be used for certificate verification
- FTP: Fixed an issue with key file conversion
- Fixed an issue loading servers not supporting session resumption from storage
</Setting>
		<Setting name="Window position and size">0 306 14 1402 924 </Setting>
		<Setting name="Minimum TLS Version">2</Setting>
		<Setting name="Trust system trust store">0</Setting>
		<Setting name="Greeting version">3.56.2</Setting>

The line for Minimum TLS Version is clearly in error -- surely this should be "1.2" not "2".
Worse, when I make that change and run FileZilla, the number reverts to "2".

Change History (3)

comment:1 by Fabio Alemagna, 2 months ago

Resolution: invalid
Status: newclosed

By which logic do you assume that it "surely" should be "1.2" there? That value is an index, and 2 corresponds to version 1.2: have a look at src/engine/tls.cpp.

comment:2 by Thomas Kite Sharpless, 2 months ago

OK, I don't know FZ internals. But I do know that it is failing to connect to a site that has TLS 1.2 enabled (https://www.cdn77.com/tls-test/result?domain=paniniperspective.com) and that ftptest.net connects successfully (log below)
Status: Resolving address of paniniperspective.com

Status: Connecting to 184.168.190.50

Warning: The entered address does not resolve to an IPv6 address.

Status: Connected, waiting for welcome message...

Reply: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------

Reply: 220-You are user number 1 of 500 allowed.

Reply: 220-Local time is now 19:00. Server port: 21.

Reply: 220-This is a private system - No anonymous login

Reply: 220 You will be disconnected after 3 minutes of inactivity.

Command: CLNT https://ftptest.net on behalf of 2601:4a:c081:1500::9761

Reply: 530 You aren't logged in

Command: AUTH TLS

Reply: 234 AUTH TLS OK.

Status: Performing TLS handshake...

Status: TLS handshake successful, verifying certificate...

Status: Received 1 certificates from server.

Status: cert[0]: subject='C=US,ST=Arizona,L=Scottsdale,O=GoDaddy Software Inc.,OU=Hosting,CN=p3nlhftpg67.shr.prod.phx3.secureserver.net' issuer='C=US,ST=Arizona,L=Scottsdale,O=GoDaddy Software Inc.,OU=Hosting,CN=p3nlhftpg67.shr.prod.phx3.secureserver.net'

Command: USER sgerecke

Reply: 331 User sgerecke OK. Password required

Command: PASS

Reply: 230 OK. Current restricted directory is /

Command: SYST

Reply: 215 UNIX Type: L8

Command: FEAT

Reply: 211-Extensions supported:

Reply: EPRT

Reply: IDLE

Reply: MDTM

Reply: SIZE

Reply: MFMT

Reply: REST STREAM

Reply: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;

Reply: MLSD

Reply: AUTH TLS

Reply: PBSZ

Reply: PROT

Reply: UTF8

Reply: TVFS

Reply: ESTA

Reply: PASV

Reply: EPSV

Reply: SPSV

Reply: ESTP

Reply: 211 End.

Command: PBSZ 0

Reply: 200 PBSZ=0

Command: PROT P

Reply: 200 Data protection level set to "private"

Command: PWD

Reply: 257 "/" is your current location

Status: Current path is /

Command: TYPE I

Reply: 200 TYPE is now 8-bit binary

Command: PASV

Reply: 227 Entering Passive Mode (184,168,190,50,195,143)

Command: MLSD

Status: Data connection established, performing TLS handshake...

Reply: 150 Accepted data connection

Status: TLS handshake successful, verifying certificate...

Status: Received 1 certificates from server.

Status: cert[0]: subject='C=US,ST=Arizona,L=Scottsdale,O=GoDaddy Software Inc.,OU=Hosting,CN=p3nlhftpg67.shr.prod.phx3.secureserver.net' issuer='C=US,ST=Arizona,L=Scottsdale,O=GoDaddy Software Inc.,OU=Hosting,CN=p3nlhftpg67.shr.prod.phx3.secureserver.net'

Status: TLS session of transfer connection has been resumed.

Listing: type=cdir;sizd=4096;modify=20211104171453;UNIX.mode=0705;UNIX.uid=8050812;UNIX.gid=100450;unique=17g5928057; .

Listing: type=pdir;sizd=4096;modify=20211104171453;UNIX.mode=0705;UNIX.uid=8050812;UNIX.gid=100450;unique=17g5928057; ..

Listing: type=dir;sizd=4096;modify=20211104173432;UNIX.mode=0705;UNIX.uid=8050812;UNIX.gid=100450;unique=17g5928058; boat-test

Reply: 226-Options: -a -l

Reply: 226 3 matches total

Status: Success

comment:3 by Fabio Alemagna, 2 months ago

That online service is testing the HTTP server, not the ftp server available at that domain. Ftptest is certainly not using TLS1.2.

Last edited 2 months ago by Fabio Alemagna (previous) (diff)
Note: See TracTickets for help on using tickets.