id summary reporter owner description type status priority component resolution keywords cc component_version os os_version 9438 invalid GnuTLS ciphers string for GnuTLS < 2.11.5 James Ralston "FileZilla supports GnuTLS versions 2.8.3 and later. However, in src/engine/tlssocket.cpp, the following code appears: {{{ #if GNUTLS_VERSION_NUMBER >= 0x030100 char const ciphers[] = ""SECURE256:+SECURE128:+ARCFOUR-128:-3DES-CBC:-MD5:+SIGN-ALL:-SIGN-RSA-MD5:+CTYPE-X509:-CTYPE-OPENPGP""; #else // Versions before 3.1.0 cannot combine level keywords char const ciphers[] = ""SECURE128:+ARCFOUR-128:-3DES-CBC:-MD5:+SIGN-ALL:-SIGN-RSA-MD5:+CTYPE-X509:-CTYPE-OPENPGP""; #endif }}} But this is wrong, because SIGN-ALL wasn't added to GnuTLS until version 2.11.5. From the GnuTLS [http://gitorious.org/gnutls/gnutls/blobs/master/NEWS NEWS] file: {{{ * Version 2.11.5 (released 2010-12-01) ** libgnutls: Reverted default behavior for verification and introduced GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT. Thus by default V1 trusted CAs are allowed, unless the new flag is specified. ** libgnutls: Correctly add leading zero to PKCS #8 encoded DSA key. Reported by Jeffrey Walton. ** libgnutls: Added SIGN-ALL, CTYPE-ALL, COMP-ALL, and VERS-TLS-ALL as priority strings. Those allow to set all the supported algorithms at once. }}} Because of this bug, FTPS support is broken on Red Hat Enterprise Linux 6, which is a very common Linux distribution. I created the attached patch. I've tested the patch locally, and verified that FileZilla can now properly make TLS-enabled FTP connections on RHEL6. Could you please apply it? One caveat: you should verify that my selection of signature algorithms is reasonable. Thanks!" Patch closed normal FileZilla Client rejected gnutls ciphers Linux RHEL6