#12579 closed Bug report (invalid)
version 3.56 minimum TLS version setting stuck at "2"
| Reported by: | Thomas Kite Sharpless | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | FileZilla Client |
| Keywords: | TLS | Cc: | |
| Component version: | 3.56 | Operating system type: | Windows |
| Operating system version: | 10 home 2004 |
Description
- 3.56.2 pulls 'Gnu TLS error -8: unsupported version" when connecting to a site whose highest active TLS version is 1.2. filezilla.xml has this:
3.56.0-rc1 (2021-09-29) + Right-clicking a queue tab header now opens the same context menu as right-clicking the correponding queue contents + By default, the minimum allowed TLS version is now TLS 1.2 + Optionally, the systen trust store can be used for certificate verification - FTP: Fixed an issue with key file conversion - Fixed an issue loading servers not supporting session resumption from storage </Setting> <Setting name="Window position and size">0 306 14 1402 924 </Setting> <Setting name="Minimum TLS Version">2</Setting> <Setting name="Trust system trust store">0</Setting> <Setting name="Greeting version">3.56.2</Setting>
The line for Minimum TLS Version is clearly in error -- surely this should be "1.2" not "2".
Worse, when I make that change and run FileZilla, the number reverts to "2".
Change History (3)
comment:1 by , 3 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 3 years ago
OK, I don't know FZ internals. But I do know that it is failing to connect to a site that has TLS 1.2 enabled (https://www.cdn77.com/tls-test/result?domain=paniniperspective.com) and that ftptest.net connects successfully (log below)
Status: Resolving address of paniniperspective.com
Status: Connecting to 184.168.190.50
Warning: The entered address does not resolve to an IPv6 address.
Status: Connected, waiting for welcome message...
Reply: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Reply: 220-You are user number 1 of 500 allowed.
Reply: 220-Local time is now 19:00. Server port: 21.
Reply: 220-This is a private system - No anonymous login
Reply: 220 You will be disconnected after 3 minutes of inactivity.
Command: CLNT https://ftptest.net on behalf of 2601:4a:c081:1500::9761
Reply: 530 You aren't logged in
Command: AUTH TLS
Reply: 234 AUTH TLS OK.
Status: Performing TLS handshake...
Status: TLS handshake successful, verifying certificate...
Status: Received 1 certificates from server.
Status: cert[0]: subject='C=US,ST=Arizona,L=Scottsdale,O=GoDaddy Software Inc.,OU=Hosting,CN=p3nlhftpg67.shr.prod.phx3.secureserver.net' issuer='C=US,ST=Arizona,L=Scottsdale,O=GoDaddy Software Inc.,OU=Hosting,CN=p3nlhftpg67.shr.prod.phx3.secureserver.net'
Command: USER sgerecke
Reply: 331 User sgerecke OK. Password required
Command: PASS
Reply: 230 OK. Current restricted directory is /
Command: SYST
Reply: 215 UNIX Type: L8
Command: FEAT
Reply: 211-Extensions supported:
Reply: EPRT
Reply: IDLE
Reply: MDTM
Reply: SIZE
Reply: MFMT
Reply: REST STREAM
Reply: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Reply: MLSD
Reply: AUTH TLS
Reply: PBSZ
Reply: PROT
Reply: UTF8
Reply: TVFS
Reply: ESTA
Reply: PASV
Reply: EPSV
Reply: SPSV
Reply: ESTP
Reply: 211 End.
Command: PBSZ 0
Reply: 200 PBSZ=0
Command: PROT P
Reply: 200 Data protection level set to "private"
Command: PWD
Reply: 257 "/" is your current location
Status: Current path is /
Command: TYPE I
Reply: 200 TYPE is now 8-bit binary
Command: PASV
Reply: 227 Entering Passive Mode (184,168,190,50,195,143)
Command: MLSD
Status: Data connection established, performing TLS handshake...
Reply: 150 Accepted data connection
Status: TLS handshake successful, verifying certificate...
Status: Received 1 certificates from server.
Status: cert[0]: subject='C=US,ST=Arizona,L=Scottsdale,O=GoDaddy Software Inc.,OU=Hosting,CN=p3nlhftpg67.shr.prod.phx3.secureserver.net' issuer='C=US,ST=Arizona,L=Scottsdale,O=GoDaddy Software Inc.,OU=Hosting,CN=p3nlhftpg67.shr.prod.phx3.secureserver.net'
Status: TLS session of transfer connection has been resumed.
Listing: type=cdir;sizd=4096;modify=20211104171453;UNIX.mode=0705;UNIX.uid=8050812;UNIX.gid=100450;unique=17g5928057; .
Listing: type=pdir;sizd=4096;modify=20211104171453;UNIX.mode=0705;UNIX.uid=8050812;UNIX.gid=100450;unique=17g5928057; ..
Listing: type=dir;sizd=4096;modify=20211104173432;UNIX.mode=0705;UNIX.uid=8050812;UNIX.gid=100450;unique=17g5928058; boat-test
Reply: 226-Options: -a -l
Reply: 226 3 matches total
Status: Success
comment:3 by , 3 years ago
That online service is testing the HTTP server, not the ftp server available at that domain. Ftptest is certainly not using TLS1.2.
The following command will attest that only TLS1.0 is used by the ftp server available on that domain.
By which logic do you assume that it "surely" should be "1.2" there? That value is an index, and 2 corresponds to version 1.2: have a look at src/engine/tls.cpp.