Author Topic: Allow only TLSv1.2  (Read 207 times)

Offline ronny.wouters

  • New user
  • *
  • Posts: 4
    • View Profile
Allow only TLSv1.2
« on: February 09, 2017, 02:26:56 pm »
Hello,

I'm trying to disable all older TLS versions, but I can't seem to get it working.

In my config I have the following:
Code: [Select]
TLSProtocol                     TLSv1.2
Yet, when I try to connect with TLSv1 or TLSv1.1, the TLS log shows me:
Code: [Select]
2017-02-09 14:02:15,243 mod_tls/2.7[13369550]: TLSv1 connection accepted, using cipher ECDHE-RSA-AES256-SHA (256 bits)
2017-02-09 14:02:21,141 mod_tls/2.7[13369552]: TLSv1.1 connection accepted, using cipher ECDHE-RSA-AES256-SHA (256 bits)

I'm trying the connection with the following commands:
Code: [Select]
/usr/local/bin/openssl s_client -connect server:21 -starttls ftp -tls1
/usr/local/bin/openssl s_client -connect server:21 -starttls ftp -tls1_1

Anybody any idea why it is not limiting ?

With kind regards,

Ronny

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5253
    • View Profile
    • http://www.castaglia.org/
Re: Allow only TLSv1.2
« Reply #1 on: February 09, 2017, 03:58:09 pm »
Which versions of ProFTPD and OpenSSL are you using?  That is, what does the following show:

  $ openssl version -a
  $ proftpd -V

Offline ronny.wouters

  • New user
  • *
  • Posts: 4
    • View Profile
Re: Allow only TLSv1.2
« Reply #2 on: February 10, 2017, 06:43:12 am »
Hello,

This is the output of the commands:
/home/root/proftpd> openssl version -a
OpenSSL 1.0.1i 6 Aug 2014
built on: Thu Aug 14 23:41:53 DFT 2014
platform: aix-xlc_r
options:  bn(64,32) rc4(ptr,char) des(idx,cisc,2,long) blowfish(idx)
compiler: xlc_r -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -qthreaded -D_THREAD_SAFE -DDSO_DLFCN -DHAVE_DLFCN_H -DSSL_ALLOW_ADH -q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DAES_ASM
OPENSSLDIR: "/var/ssl"

/home/root/proftpd> /usr/local/proftpd/sbin/proftpd -V
Compile-time Settings:
  Version: 1.3.6rc2 (devel)
  Platform: AIX7 (AIX7_1_0_0) [AIX 1 000EF87BD400]
  Built: Thu Feb 9 2017 13:22:30 CUT
  Built With:
    configure  '--prefix=/usr/local/proftpd' '--enable-authpam' '--disable-auth-file' '--disable-ncurses' '--enable-nls' '--enable-openssl' '--with-includes=/opt/freeware/include/mysql/' '--with-libraries=/opt/freeware/lib/mysql:/home/root/proftpd/extra_libs/' '--with-modules=mod_tls:mod_sql:mod_sql_mysql:mod_sql_passwd:mod_sftp:mod_sftp_sql'

  CFLAGS: -O2 -Wall
  LDFLAGS: -L$(top_srcdir)/lib  -L/home/root/proftpd/extra_libs/ -L/opt/freeware/lib/mysql
  LIBS: -lintl  -lssl -lcrypto -lssl -lcrypto -lm -lmysqlclient -lz  -lssl  -lpam  -lcrypto -lsupp  -liconv

  Files:
    Configuration File:
      /usr/local/proftpd/etc/proftpd.conf
    Pid File:
      /usr/local/proftpd/var/proftpd.pid
    Scoreboard File:
      /usr/local/proftpd/var/proftpd.scoreboard

  Info:
    + Max supported UID: 4294967295
    + Max supported GID: 4294967295

  Features:
    - Autoshadow support
    - Controls support
    + curses support
    - Developer support
    - DSO support
    + IPv6 support
    + Largefile support
    - Lastlog support
    - Memcache support
    - ncurses support
    + NLS support
    + OpenSSL support
    - PCRE support
    - POSIX ACL support
    - Shadow file suppport
    - Sendfile support
    + Trace support

  Tunable Options:
    PR_TUNABLE_BUFFER_SIZE = 1024
    PR_TUNABLE_DEFAULT_RCVBUFSZ = 8192
    PR_TUNABLE_DEFAULT_SNDBUFSZ = 8192
    PR_TUNABLE_GLOBBING_MAX_MATCHES = 100000
    PR_TUNABLE_GLOBBING_MAX_RECURSION = 8
    PR_TUNABLE_HASH_TABLE_SIZE = 40
    PR_TUNABLE_NEW_POOL_SIZE = 512
    PR_TUNABLE_PATH_MAX = 1024
    PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80
    PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30
    PR_TUNABLE_SELECT_TIMEOUT = 30
    PR_TUNABLE_TIMEOUTIDENT = 10
    PR_TUNABLE_TIMEOUTIDLE = 600
    PR_TUNABLE_TIMEOUTLINGER = 10
    PR_TUNABLE_TIMEOUTLOGIN = 300
    PR_TUNABLE_TIMEOUTNOXFER = 300
    PR_TUNABLE_TIMEOUTSTALLED = 3600
    PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10


With kind regards,

R.

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5253
    • View Profile
    • http://www.castaglia.org/
Re: Allow only TLSv1.2
« Reply #3 on: February 10, 2017, 09:15:20 pm »
Hmm.  I'm not able to reproduce this behavior locally; when I configure "TLSProtocol TLSv1.2", and test using `openssl s_client` as you are, it behaves as expected.

Could you provide your full proftpd.conf, so that we might see if there other possible factors involved?

Offline ronny.wouters

  • New user
  • *
  • Posts: 4
    • View Profile
Re: Allow only TLSv1.2
« Reply #4 on: February 13, 2017, 08:25:45 am »
Hello,

This is the config file as we use it:

Code: [Select]
#trace log if enabled must be on top of the file.
TraceLog /var/log/proftpd_trace.log
Trace DEFAULT:10

#-----------------------------------------------------------------------
# Server Configuration: those parameters cannot be elsewhere
#-----------------------------------------------------------------------
ServerName                      "ftp daemon"
ServerType                      inetd
UseIPv6                         off

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
        DenyAll
</Limit>

#Port                           210

SystemLog                       /var/log/proftpd.log
#SystemLog                      none
LogFormat authentication "%{%F %T}t %P from: %a to: %{protocol}:%H:%p user: %U msg: %S"
LogFormat transfer "%{%F %T}t %P from: %a to: %{protocol}:%H:%p user: %U file: %f cmd: %m %J"

#TLSProtocol                     SSLv3 TLSv1
TLSProtocol                     TLSv1.2

UseReverseDNS                   off

<Global>
        #-----------------------------------------------------------------------
        # Generic Configuration
        #-----------------------------------------------------------------------
        DefaultRoot     ~
        Umask           002 002
        allowOverwrite  on
        ExtendedLog     /var/log/proftpd_auth.log AUTH,EXIT,SEC authentication
        ExtendedLog     /var/log/proftpd_xfer.log READ,WRITE transfer
        #AuthOrder      mod_sql.c mod_auth_unix.c*
        AuthOrder       mod_auth_unix.c  mod_auth_pam.c mod_sql.c


        #-----------------------------------------------------------------------
        # SQL Configuration
        #-----------------------------------------------------------------------
        SQLAuthTypes                    SHA512
        SQLPasswordEngine               on
        SQLPasswordEncoding             base64
        SQLPasswordRounds               300
        SQLNamedQuery                   get-user-authorized-keys SELECT "`publickey` FROM vftp_user WHERE userid='%U'"
        SQLNamedQuery                   get-user-salt SELECT "salt FROM puser_salts WHERE userid = '%{0}'"
        SQLPasswordUserSalt             sql:/get-user-salt Append
        SQLAuthenticate                 users
        SQLConnectInfo                  dev@154.117.25.5:52761 afmdev_pro 1d5Rec91Ať8d
        SQLUserInfo                     pusers userid passwd uid gid homedir shell
        SQLOptions                      noDisconnectOnError
        #SQLOptions                     noReconnect
        SQLMinUserUID                   200
        SQLMinUserGID                   1
        SQLDefaultGID                   65534
        SQLDefaultUID                   65534
#        SQLLogFile                      none
        SQLLogFile                     /var/log/proftpd_sql.log

        #-----------------------------------------------------------------------
        # TLS Configuration
        #-----------------------------------------------------------------------
        TLSEngine                       off
        TLSRSACertificateFile           /usr/local/proftpd/etc/proftpd.cert.pem
        TLSRSACertificateKeyFile        /usr/local/proftpd/etc/proftpd.key.pem
        TLSLog                         /var/log/proftpd_etls.log
        #TLSLog                          none
        TLSVerifyClient                 off
        #TLSRenegotiate                 none
        TLSRequired                     off
</Global>

# -----------------------------------------------------------------------------
#    __ _              __   __ _         _____ _____                    __
#   / _| |            / /  / _| |       |  ___/  ___|                  / _|
#  | |_| |_ _ __     / /  | |_| |_ _ __ | |__ \ `--.    ___ ___  _ __ | |_
#  |  _| __| '_ \   / /   |  _| __| '_ \|  __| `--. \  / __/ _ \| '_ \|  _|
#  | | | |_| |_) | / /    | | | |_| |_) | |___/\__/ / | (_| (_) | | | | |
#  |_|  \__| .__/ /_/     |_|  \__| .__/\____/\____/   \___\___/|_| |_|_|
#          | |                    | |
#          |_|                    |_|
# -----------------------------------------------------------------------------

<VirtualHost 0.0.0.0>
        Port                            210
        TLSEngine                       on
        TLSOptions                      NoSessionReuseRequired
        SQLUserWhereClause " (allowed = 'both' OR allowed = 'ftp') "
</VirtualHost>


# -----------------------------------------------------------------------------
#    __ _         _____                    __
#   / _| |       /  ___|                  / _|
#  | |_| |_ _ __ \ `--.    ___ ___  _ __ | |_
#  |  _| __| '_ \ `--. \  / __/ _ \| '_ \|  _|
#  | | | |_| |_) /\__/ / | (_| (_) | | | | |
#  |_|  \__| .__/\____/   \___\___/|_| |_|_|
#          | |
#          |_|
# -----------------------------------------------------------------------------
<VirtualHost 0.0.0.0>
        Port                                    214
        TLSEngine                               on
        TLSRequired                             on
        #only FTPS available
        TLSOptions                              UseImplicitSSL NoSessionReuseRequired
        # Are clients required to use FTP over TLS when talking to this server?
        SQLUserWhereClause      " (allowed = 'both' OR allowed = 'ftp') "
</VirtualHost>


# -----------------------------------------------------------------------------
#   _____  __ _                            __
#  /  ___|/ _| |                          / _|
#  \ `--.| |_| |_ _ __     ___ ___  _ __ | |_
#   `--. \  _| __| '_ \   / __/ _ \| '_ \|  _|
#  /\__/ / | | |_| |_) | | (_| (_) | | | | |
#  \____/|_|  \__| .__/   \___\___/|_| |_|_|
#                | |
#                |_|
# -----------------------------------------------------------------------------
  <VirtualHost 0.0.0.0>
        Port                                    211
        SQLUserWhereClause      " (allowed = 'both' OR allowed = 'sftp') "

        SFTPEngine                      on
        #SFTPLog                                none
        SFTPLog                        /usr/local/proftpd/var/log/sftp.log

        # Configure both the RSA and DSA host keys, using the same host key
        # files that OpenSSH uses.
        SFTPHostKey                     /etc/centrifydc/ssh/ssh_host_dsa_key
        SFTPHostKey                     /etc/centrifydc/ssh/ssh_host_rsa_key

        # Configure the file used for comparing authorized public keys of users.
        SFTPAuthorizedUserKeys sql:/get-user-authorized-keys

        # Enable compression
        SFTPCompression                                 delayed

        # Allow the same number of authentication attempts as OpenSSH.
        # It is recommended that you explicitly configure MaxLoginAttempts
        # for your SSH2/SFTP instance to be higher than the normal
        # MaxLoginAttempts value for FTP, as there are more ways to authenticate
        # using SSH2.
        MaxLoginAttempts                                6
  </VirtualHost>

I hope this helps.

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5253
    • View Profile
    • http://www.castaglia.org/
Re: Allow only TLSv1.2
« Reply #5 on: February 13, 2017, 04:46:23 pm »
The TLSProtocol directive will need to be located within your <Global> section, so that it is applied to all of your <VirtualHost> sections.

Offline ronny.wouters

  • New user
  • *
  • Posts: 4
    • View Profile
Re: Allow only TLSv1.2
« Reply #6 on: February 14, 2017, 06:50:16 am »
Thank you very much !
That did the trick.
 ::)

 

sighted planning