Secure FTP tests and TLS > 1.0 fail
-
- Posts: 78
- Joined: Tue Oct 24, 2006 12:45 pm
Secure FTP tests and TLS > 1.0 fail
It seems that the Secure FTP tests on port 990 fails if the FTP server is using - or requiring clients to use - a level of TLS > 1.0.
I say this as we use HostMon to check the availability of a specific file on a secure FTP server which uses the Filezilla server. By default this runs any version of TLS but after failing various security tests we decided to update it to use a minimum of TLS 1.1. This is done via a line in an xml config file.
Having made the change the the server works fine as a secure FTP sever (tested with Filezilla and WinSCP clients) and runs TLS 1.1. But the host mon tests now fail, hanging during certificate presentation.
Reverting to TLS 1.0 makes the tests work fine. As 1.0 is deemed unsafe do you have any thoughts about how to get HostMon to work on this test with TLS 1.1 & 1.2?
Thanks.
I say this as we use HostMon to check the availability of a specific file on a secure FTP server which uses the Filezilla server. By default this runs any version of TLS but after failing various security tests we decided to update it to use a minimum of TLS 1.1. This is done via a line in an xml config file.
Having made the change the the server works fine as a secure FTP sever (tested with Filezilla and WinSCP clients) and runs TLS 1.1. But the host mon tests now fail, hanging during certificate presentation.
Reverting to TLS 1.0 makes the tests work fine. As 1.0 is deemed unsafe do you have any thoughts about how to get HostMon to work on this test with TLS 1.1 & 1.2?
Thanks.
SFTP? It works over SSH, there are hundred combinations of possible ciphers and key exchange methods.
When some of 100 methods is not supported, its not a bug.
What exactly error do you see in Reply field of the test?
What exactly key exchange methods and ciphers supported on server side?
What exactly HostMonitor version do you use? Newer versions support more options.
Regards
Alex
When some of 100 methods is not supported, its not a bug.
What exactly error do you see in Reply field of the test?
What exactly key exchange methods and ciphers supported on server side?
What exactly HostMonitor version do you use? Newer versions support more options.
Regards
Alex
Last edited by KS-Soft on Wed Jun 30, 2021 1:17 pm, edited 1 time in total.
-
- Posts: 78
- Joined: Tue Oct 24, 2006 12:45 pm
Alex
Thanks for the prompt reply as ever.. ;}
Yes, I using *not* the SSH version but rather FTPs..
I use the syntax:
ftps://sysadmin@ftp.servername.net/donotdelete.txt
as the test string, with the correct pswd, and it logs in fine with TLS1.0.
All it does is check a file exists, so I know the server is up and servicing requests.
HostMon is 12.32 - the latest our license supports and it's running on W2019 build 1809.
Can you suggest any logs/tests I might try?
Thanks
David
Thanks for the prompt reply as ever.. ;}
Yes, I using *not* the SSH version but rather FTPs..
I use the syntax:
ftps://sysadmin@ftp.servername.net/donotdelete.txt
as the test string, with the correct pswd, and it logs in fine with TLS1.0.
All it does is check a file exists, so I know the server is up and servicing requests.
HostMon is 12.32 - the latest our license supports and it's running on W2019 build 1809.
Can you suggest any logs/tests I might try?
Thanks
David
-
- Posts: 78
- Joined: Tue Oct 24, 2006 12:45 pm
Alex
OK, some progress.
I had misunderstood the FZserver docs. It seems to offer the highest level of TLS available on the system. So in this case that is 1.2. Indeed, checking client connects confirm that is the case.
The TLS line in the XML config :
<Item name="Minimum TLS version" type="numeric">2</Item>
sets the *minimum* TLS levels that clients can connect on. By default that is set to '0', so whilst it will try to use 1.2 it will drop back to 1.1 & then 1.0 if that is all the client supports.
Setting it to '2' only allows connections on 1.2
So set to '0' HostMon works fine. (as do clients) set to '1' or '2' Hostmon times out whilst client connect fine.
So with TLS set to '0' the hostmon test works and this is what I see on the Filezilla server logs.
Connecting to server localhost:14147...
Connected, waiting for authentication
Logged on
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> TLS connection established
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> USER sysadmin
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> 331 Password required for sysadmin
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> PASS **********
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> 230 Logged on
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> QUIT
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> 221 Goodbye
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> disconnected.
Changing the acceptable TLS level to '1' or '2' then causes HM to fail, as this log shows.
(000004)01/07/2021 13:37:09 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000001)01/07/2021 13:37:16 - (not logged in) (192.168.16.7)> 421 Login time exceeded. Closing control connection.
(000001)01/07/2021 13:37:16 - (not logged in) (192.168.16.7)> disconnected.
(000002)01/07/2021 13:37:27 - (not logged in) (82.69.249.110)> 421 Login time exceeded. Closing control connection.
(000002)01/07/2021 13:37:27 - (not logged in) (82.69.249.110)> disconnected.
It seems no TLS session is set up...
Normal FTPs clients still connect OK.
If I force a client (WinSCP for example) to use *only* 1.2 and set the server to *only* offer 1.1 then the connection fails as expected.
I'd like to get the HM issue resolved as I'd like to phase out <1.2 but this is not a 'show stopper'.
Is there a way of looking at the HM 'connection' logs to see what TLS versions it is trying to use?
No rush... low priority.
Thanks
OK, some progress.
I had misunderstood the FZserver docs. It seems to offer the highest level of TLS available on the system. So in this case that is 1.2. Indeed, checking client connects confirm that is the case.
The TLS line in the XML config :
<Item name="Minimum TLS version" type="numeric">2</Item>
sets the *minimum* TLS levels that clients can connect on. By default that is set to '0', so whilst it will try to use 1.2 it will drop back to 1.1 & then 1.0 if that is all the client supports.
Setting it to '2' only allows connections on 1.2
So set to '0' HostMon works fine. (as do clients) set to '1' or '2' Hostmon times out whilst client connect fine.
So with TLS set to '0' the hostmon test works and this is what I see on the Filezilla server logs.
Connecting to server localhost:14147...
Connected, waiting for authentication
Logged on
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> TLS connection established
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> USER sysadmin
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> 331 Password required for sysadmin
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> PASS **********
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> 230 Logged on
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> QUIT
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> 221 Goodbye
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> disconnected.
Changing the acceptable TLS level to '1' or '2' then causes HM to fail, as this log shows.
(000004)01/07/2021 13:37:09 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000001)01/07/2021 13:37:16 - (not logged in) (192.168.16.7)> 421 Login time exceeded. Closing control connection.
(000001)01/07/2021 13:37:16 - (not logged in) (192.168.16.7)> disconnected.
(000002)01/07/2021 13:37:27 - (not logged in) (82.69.249.110)> 421 Login time exceeded. Closing control connection.
(000002)01/07/2021 13:37:27 - (not logged in) (82.69.249.110)> disconnected.
It seems no TLS session is set up...
Normal FTPs clients still connect OK.
If I force a client (WinSCP for example) to use *only* 1.2 and set the server to *only* offer 1.1 then the connection fails as expected.
I'd like to get the HM issue resolved as I'd like to phase out <1.2 but this is not a 'show stopper'.
Is there a way of looking at the HM 'connection' logs to see what TLS versions it is trying to use?
No rush... low priority.
Thanks
-
- Posts: 78
- Joined: Tue Oct 24, 2006 12:45 pm
Looks like server uses Implicit mode.
HostMonitor uses Explicit mode when target port is not specified or plain mode port 21 is used.
So, if your server listens on port 990, just specify the port in the path, HostMonitor will switch to Implicit mode.
ftps://sysadmin@ftp.servername.net:990/donotdelete.txt
Regards
Alex
HostMonitor uses Explicit mode when target port is not specified or plain mode port 21 is used.
So, if your server listens on port 990, just specify the port in the path, HostMonitor will switch to Implicit mode.
ftps://sysadmin@ftp.servername.net:990/donotdelete.txt
Regards
Alex
-
- Posts: 78
- Joined: Tue Oct 24, 2006 12:45 pm
Thanks Alex
No joy I'm afraid.
The logs look like this:
Connecting to server localhost:14147...
Connected, waiting for authentication
Logged on
(000001)01/07/2021 15:56:14 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000001)01/07/2021 15:57:06 - (not logged in) (192.168.16.7)> 421 Server is going offline
(000001)01/07/2021 15:57:06 - (not logged in) (192.168.16.7)> disconnected.
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> TLS connection established
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> USER sysadmin
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> 331 Password required for sysadmin
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> PASS **********
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 230 Logged on
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> PASV
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 227 Entering Passive Mode (192,168,16,16,19,191)
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> NLST donotdelete.txt
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 521 PROT P required
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> QUIT
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 221 Goodbye
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> disconnected.
The first is forced by Filezilla to use TL1.2 and it hangs - and last one is set to use 'any TLS' and works fine.
Happy to try anything else...
David
No joy I'm afraid.
The logs look like this:
Connecting to server localhost:14147...
Connected, waiting for authentication
Logged on
(000001)01/07/2021 15:56:14 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000001)01/07/2021 15:57:06 - (not logged in) (192.168.16.7)> 421 Server is going offline
(000001)01/07/2021 15:57:06 - (not logged in) (192.168.16.7)> disconnected.
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> TLS connection established
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> USER sysadmin
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> 331 Password required for sysadmin
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> PASS **********
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 230 Logged on
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> PASV
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 227 Entering Passive Mode (192,168,16,16,19,191)
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> NLST donotdelete.txt
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 521 PROT P required
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> QUIT
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 221 Goodbye
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> disconnected.
The first is forced by Filezilla to use TL1.2 and it hangs - and last one is set to use 'any TLS' and works fine.
Happy to try anything else...
David
-
- Posts: 78
- Joined: Tue Oct 24, 2006 12:45 pm
-
- Posts: 78
- Joined: Tue Oct 24, 2006 12:45 pm
PS
HostMonitor 12.94 released in August
https://www.ks-soft.net/hostmon.eng/news.htm#v1294
Regards
Alex
HostMonitor 12.94 released in August
https://www.ks-soft.net/hostmon.eng/news.htm#v1294
Regards
Alex
-
- Posts: 78
- Joined: Tue Oct 24, 2006 12:45 pm
Secure FTP
Thanks Alex
Currently running 13.08 and I had not read the change log - duh! I'll set up the tests.
Many thanks
David
Currently running 13.08 and I had not read the change log - duh! I'll set up the tests.
Many thanks
David