Secure FTP tests and TLS > 1.0 fail

[david.matthewson]

It seems that the Secure FTP tests on port 990 fails if the FTP server is using - or requiring clients to use - a level of TLS > 1.0.

I say this as we use HostMon to check the availability of a specific file on a secure FTP server which uses the Filezilla server. By default this runs any version of TLS but after failing various security tests we decided to update it to use a minimum of TLS 1.1. This is done via a line in an xml config file.

Having made the change the the server works fine as a secure FTP sever (tested with Filezilla and WinSCP clients) and runs TLS 1.1. But the host mon tests now fail, hanging during certificate presentation.

Reverting to TLS 1.0 makes the tests work fine. As 1.0 is deemed unsafe do you have any thoughts about how to get HostMon to work on this test with TLS 1.1 & 1.2?

Thanks.

[KS-Soft]

SFTP? It works over SSH, there are hundred combinations of possible ciphers and key exchange methods.
When some of 100 methods is not supported, its not a bug.

What exactly error do you see in Reply field of the test?
What exactly key exchange methods and ciphers supported on server side?
What exactly HostMonitor version do you use? Newer versions support more options.

Regards
Alex

[KS-Soft]

Probably you mean FTPS protocol, not SFTP?
FTPS test uses Windows API and ciphers. Normally TLS 1.2 should work when HostMonitor started on modern Windows system.

What Windows do you use?
HostMonitor version?

Regards
Alex

[david.matthewson]

Alex

Thanks for the prompt reply as ever.. ;}

Yes, I using *not* the SSH version but rather FTPs..

I use the syntax:

ftps://sysadmin@ftp.servername.net/donotdelete.txt

as the test string, with the correct pswd, and it logs in fine with TLS1.0.

All it does is check a file exists, so I know the server is up and servicing requests.

HostMon is 12.32 - the latest our license supports and it's running on W2019 build 1809.

Can you suggest any logs/tests I might try?

Thanks

David

[KS-Soft]

Can you check Filezilla server log?
FTPS status Uknown? What Reply value you see?
Internet Explorer options, may be TLS 1.2 disabled?

Regards
Alex

[david.matthewson]

Alex

OK, some progress.

I had misunderstood the FZserver docs. It seems to offer the highest level of TLS available on the system. So in this case that is 1.2. Indeed, checking client connects confirm that is the case.

The TLS line in the XML config :

<Item name="Minimum TLS version" type="numeric">2</Item>

sets the *minimum* TLS levels that clients can connect on. By default that is set to '0', so whilst it will try to use 1.2 it will drop back to 1.1 & then 1.0 if that is all the client supports.

Setting it to '2' only allows connections on 1.2

So set to '0' HostMon works fine. (as do clients) set to '1' or '2' Hostmon times out whilst client connect fine.

So with TLS set to '0' the hostmon test works and this is what I see on the Filezilla server logs.

Connecting to server localhost:14147...
Connected, waiting for authentication
Logged on
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> TLS connection established
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> USER sysadmin
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> 331 Password required for sysadmin
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> PASS **********
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> 230 Logged on
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> QUIT
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> 221 Goodbye
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> disconnected.

Changing the acceptable TLS level to '1' or '2' then causes HM to fail, as this log shows.

(000004)01/07/2021 13:37:09 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000001)01/07/2021 13:37:16 - (not logged in) (192.168.16.7)> 421 Login time exceeded. Closing control connection.
(000001)01/07/2021 13:37:16 - (not logged in) (192.168.16.7)> disconnected.
(000002)01/07/2021 13:37:27 - (not logged in) (82.69.249.110)> 421 Login time exceeded. Closing control connection.
(000002)01/07/2021 13:37:27 - (not logged in) (82.69.249.110)> disconnected.

It seems no TLS session is set up...

Normal FTPs clients still connect OK.

If I force a client (WinSCP for example) to use *only* 1.2 and set the server to *only* offer 1.1 then the connection fails as expected.

I'd like to get the HM issue resolved as I'd like to phase out <1.2 but this is not a 'show stopper'.

Is there a way of looking at the HM 'connection' logs to see what TLS versions it is trying to use?

No rush... low priority.

Thanks

[david.matthewson]

Oh yes, and IE on the server hosting HM is set to use TLS 1.0,1.1 & 1.2.

1.3 is not an option.

[KS-Soft]

Looks like server uses Implicit mode.
HostMonitor uses Explicit mode when target port is not specified or plain mode port 21 is used.
So, if your server listens on port 990, just specify the port in the path, HostMonitor will switch to Implicit mode.
ftps://sysadmin@ftp.servername.net:990/donotdelete.txt

Regards
Alex

[david.matthewson]

Thanks Alex

No joy I'm afraid.

The logs look like this:

Connecting to server localhost:14147...
Connected, waiting for authentication
Logged on
(000001)01/07/2021 15:56:14 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000001)01/07/2021 15:57:06 - (not logged in) (192.168.16.7)> 421 Server is going offline
(000001)01/07/2021 15:57:06 - (not logged in) (192.168.16.7)> disconnected.

(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> TLS connection established
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> USER sysadmin
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> 331 Password required for sysadmin
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> PASS **********
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 230 Logged on
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> PASV
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 227 Entering Passive Mode (192,168,16,16,19,191)
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> NLST donotdelete.txt
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 521 PROT P required
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> QUIT
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 221 Goodbye
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> disconnected.


The first is forced by Filezilla to use TL1.2 and it hangs - and last one is set to use 'any TLS' and works fine.

Happy to try anything else...

David

[KS-Soft]

Looks like we found solution, will modify our code in the next version.
We are still checking other options but probably there is no solution for old version 12.32

Regards
Alex

[david.matthewson]

Brilliant! Thanks Alex - I need to get quotations for u/g our stock of HM installations to the current version in any case.

[KS-Soft]

So far we modified RMA x64 version so it can perform this test.
RMA x86 and HostMonitor uses old code.

Regards
Alex

[david.matthewson]

Thanks for the update Alex

brgds

David

[KS-Soft]

PS
HostMonitor 12.94 released in August
https://www.ks-soft.net/hostmon.eng/news.htm#v1294

Regards
Alex

[david.matthewson]

Thanks Alex

Currently running 13.08 and I had not read the change log - duh! I'll set up the tests.

Many thanks

David