KS-Soft. Network Management Solutions
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister    ProfileProfile    Log inLog in 

Secure FTP tests and TLS > 1.0 fail

 
Post new topic   Reply to topic    KS-Soft Forum Index -> Bug reports
View previous topic :: View next topic  
Author Message
david.matthewson



Joined: 24 Oct 2006
Posts: 60

PostPosted: Wed Jun 30, 2021 10:59 am    Post subject: Secure FTP tests and TLS > 1.0 fail Reply with quote

It seems that the Secure FTP tests on port 990 fails if the FTP server is using - or requiring clients to use - a level of TLS > 1.0.

I say this as we use HostMon to check the availability of a specific file on a secure FTP server which uses the Filezilla server. By default this runs any version of TLS but after failing various security tests we decided to update it to use a minimum of TLS 1.1. This is done via a line in an xml config file.

Having made the change the the server works fine as a secure FTP sever (tested with Filezilla and WinSCP clients) and runs TLS 1.1. But the host mon tests now fail, hanging during certificate presentation.

Reverting to TLS 1.0 makes the tests work fine. As 1.0 is deemed unsafe do you have any thoughts about how to get HostMon to work on this test with TLS 1.1 & 1.2?

Thanks.
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 12505
Location: USA

PostPosted: Wed Jun 30, 2021 12:12 pm    Post subject: Reply with quote

SFTP? It works over SSH, there are hundred combinations of possible ciphers and key exchange methods.
When some of 100 methods is not supported, its not a bug.

What exactly error do you see in Reply field of the test?
What exactly key exchange methods and ciphers supported on server side?
What exactly HostMonitor version do you use? Newer versions support more options.

Regards
Alex


Last edited by KS-Soft on Wed Jun 30, 2021 1:17 pm; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website
KS-Soft



Joined: 03 Apr 2002
Posts: 12505
Location: USA

PostPosted: Wed Jun 30, 2021 12:42 pm    Post subject: Reply with quote

Probably you mean FTPS protocol, not SFTP?
FTPS test uses Windows API and ciphers. Normally TLS 1.2 should work when HostMonitor started on modern Windows system.

What Windows do you use?
HostMonitor version?

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
david.matthewson



Joined: 24 Oct 2006
Posts: 60

PostPosted: Wed Jun 30, 2021 1:28 pm    Post subject: Reply with quote

Alex

Thanks for the prompt reply as ever.. ;}

Yes, I using *not* the SSH version but rather FTPs..

I use the syntax:

ftps://sysadmin@ftp.servername.net/donotdelete.txt

as the test string, with the correct pswd, and it logs in fine with TLS1.0.

All it does is check a file exists, so I know the server is up and servicing requests.

HostMon is 12.32 - the latest our license supports and it's running on W2019 build 1809.

Can you suggest any logs/tests I might try?

Thanks

David
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 12505
Location: USA

PostPosted: Wed Jun 30, 2021 2:43 pm    Post subject: Reply with quote

Can you check Filezilla server log?
FTPS status Uknown? What Reply value you see?
Internet Explorer options, may be TLS 1.2 disabled?

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
david.matthewson



Joined: 24 Oct 2006
Posts: 60

PostPosted: Thu Jul 01, 2021 6:46 am    Post subject: Reply with quote

Alex

OK, some progress.

I had misunderstood the FZserver docs. It seems to offer the highest level of TLS available on the system. So in this case that is 1.2. Indeed, checking client connects confirm that is the case.

The TLS line in the XML config :

<Item name="Minimum TLS version" type="numeric">2</Item>

sets the *minimum* TLS levels that clients can connect on. By default that is set to '0', so whilst it will try to use 1.2 it will drop back to 1.1 & then 1.0 if that is all the client supports.

Setting it to '2' only allows connections on 1.2

So set to '0' HostMon works fine. (as do clients) set to '1' or '2' Hostmon times out whilst client connect fine.

So with TLS set to '0' the hostmon test works and this is what I see on the Filezilla server logs.

Connecting to server localhost:14147...
Connected, waiting for authentication
Logged on
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> TLS connection established
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> USER sysadmin
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> 331 Password required for sysadmin
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> PASS **********
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> 230 Logged on
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> QUIT
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> 221 Goodbye
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> disconnected.

Changing the acceptable TLS level to '1' or '2' then causes HM to fail, as this log shows.

(000004)01/07/2021 13:37:09 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000001)01/07/2021 13:37:16 - (not logged in) (192.168.16.7)> 421 Login time exceeded. Closing control connection.
(000001)01/07/2021 13:37:16 - (not logged in) (192.168.16.7)> disconnected.
(000002)01/07/2021 13:37:27 - (not logged in) (82.69.249.110)> 421 Login time exceeded. Closing control connection.
(000002)01/07/2021 13:37:27 - (not logged in) (82.69.249.110)> disconnected.

It seems no TLS session is set up...

Normal FTPs clients still connect OK.

If I force a client (WinSCP for example) to use *only* 1.2 and set the server to *only* offer 1.1 then the connection fails as expected.

I'd like to get the HM issue resolved as I'd like to phase out <1.2 but this is not a 'show stopper'.

Is there a way of looking at the HM 'connection' logs to see what TLS versions it is trying to use?

No rush... low priority.

Thanks
Back to top
View user's profile Send private message
david.matthewson



Joined: 24 Oct 2006
Posts: 60

PostPosted: Thu Jul 01, 2021 6:49 am    Post subject: Reply with quote

Oh yes, and IE on the server hosting HM is set to use TLS 1.0,1.1 & 1.2.

1.3 is not an option.
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 12505
Location: USA

PostPosted: Thu Jul 01, 2021 7:14 am    Post subject: Reply with quote

Looks like server uses Implicit mode.
HostMonitor uses Explicit mode when target port is not specified or plain mode port 21 is used.
So, if your server listens on port 990, just specify the port in the path, HostMonitor will switch to Implicit mode.
ftps://sysadmin@ftp.servername.net:990/donotdelete.txt

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
david.matthewson



Joined: 24 Oct 2006
Posts: 60

PostPosted: Thu Jul 01, 2021 9:02 am    Post subject: Reply with quote

Thanks Alex

No joy I'm afraid.

The logs look like this:

Connecting to server localhost:14147...
Connected, waiting for authentication
Logged on
(000001)01/07/2021 15:56:14 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000001)01/07/2021 15:57:06 - (not logged in) (192.168.16.7)> 421 Server is going offline
(000001)01/07/2021 15:57:06 - (not logged in) (192.168.16.7)> disconnected.

(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> TLS connection established
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> USER sysadmin
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> 331 Password required for sysadmin
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> PASS **********
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 230 Logged on
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> PASV
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 227 Entering Passive Mode (192,168,16,16,19,191)
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> NLST donotdelete.txt
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 521 PROT P required
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> QUIT
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 221 Goodbye
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> disconnected.


The first is forced by Filezilla to use TL1.2 and it hangs - and last one is set to use 'any TLS' and works fine.

Happy to try anything else...

David
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 12505
Location: USA

PostPosted: Thu Jul 01, 2021 10:26 pm    Post subject: Reply with quote

Looks like we found solution, will modify our code in the next version.
We are still checking other options but probably there is no solution for old version 12.32

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
david.matthewson



Joined: 24 Oct 2006
Posts: 60

PostPosted: Fri Jul 02, 2021 2:06 am    Post subject: Reply with quote

Brilliant! Thanks Alex - I need to get quotations for u/g our stock of HM installations to the current version in any case.
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 12505
Location: USA

PostPosted: Mon Jul 05, 2021 8:21 am    Post subject: Reply with quote

So far we modified RMA x64 version so it can perform this test.
RMA x86 and HostMonitor uses old code.

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
david.matthewson



Joined: 24 Oct 2006
Posts: 60

PostPosted: Mon Jul 05, 2021 8:43 am    Post subject: Reply with quote

Thanks for the update Alex

brgds

David
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    KS-Soft Forum Index -> Bug reports All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

KS-Soft Forum Index