View previous topic :: View next topic |
Author |
Message |
david.matthewson
Joined: 24 Oct 2006 Posts: 78
|
Posted: Wed Jun 30, 2021 10:59 am Post subject: Secure FTP tests and TLS > 1.0 fail |
|
|
It seems that the Secure FTP tests on port 990 fails if the FTP server is using - or requiring clients to use - a level of TLS > 1.0.
I say this as we use HostMon to check the availability of a specific file on a secure FTP server which uses the Filezilla server. By default this runs any version of TLS but after failing various security tests we decided to update it to use a minimum of TLS 1.1. This is done via a line in an xml config file.
Having made the change the the server works fine as a secure FTP sever (tested with Filezilla and WinSCP clients) and runs TLS 1.1. But the host mon tests now fail, hanging during certificate presentation.
Reverting to TLS 1.0 makes the tests work fine. As 1.0 is deemed unsafe do you have any thoughts about how to get HostMon to work on this test with TLS 1.1 & 1.2?
Thanks. |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12808 Location: USA
|
Posted: Wed Jun 30, 2021 12:12 pm Post subject: |
|
|
SFTP? It works over SSH, there are hundred combinations of possible ciphers and key exchange methods.
When some of 100 methods is not supported, its not a bug.
What exactly error do you see in Reply field of the test?
What exactly key exchange methods and ciphers supported on server side?
What exactly HostMonitor version do you use? Newer versions support more options.
Regards
Alex
Last edited by KS-Soft on Wed Jun 30, 2021 1:17 pm; edited 1 time in total |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12808 Location: USA
|
Posted: Wed Jun 30, 2021 12:42 pm Post subject: |
|
|
Probably you mean FTPS protocol, not SFTP?
FTPS test uses Windows API and ciphers. Normally TLS 1.2 should work when HostMonitor started on modern Windows system.
What Windows do you use?
HostMonitor version?
Regards
Alex |
|
Back to top |
|
|
david.matthewson
Joined: 24 Oct 2006 Posts: 78
|
Posted: Wed Jun 30, 2021 1:28 pm Post subject: |
|
|
Alex
Thanks for the prompt reply as ever.. ;}
Yes, I using *not* the SSH version but rather FTPs..
I use the syntax:
ftps://sysadmin@ftp.servername.net/donotdelete.txt
as the test string, with the correct pswd, and it logs in fine with TLS1.0.
All it does is check a file exists, so I know the server is up and servicing requests.
HostMon is 12.32 - the latest our license supports and it's running on W2019 build 1809.
Can you suggest any logs/tests I might try?
Thanks
David |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12808 Location: USA
|
Posted: Wed Jun 30, 2021 2:43 pm Post subject: |
|
|
Can you check Filezilla server log?
FTPS status Uknown? What Reply value you see?
Internet Explorer options, may be TLS 1.2 disabled?
Regards
Alex |
|
Back to top |
|
|
david.matthewson
Joined: 24 Oct 2006 Posts: 78
|
Posted: Thu Jul 01, 2021 6:46 am Post subject: |
|
|
Alex
OK, some progress.
I had misunderstood the FZserver docs. It seems to offer the highest level of TLS available on the system. So in this case that is 1.2. Indeed, checking client connects confirm that is the case.
The TLS line in the XML config :
<Item name="Minimum TLS version" type="numeric">2</Item>
sets the *minimum* TLS levels that clients can connect on. By default that is set to '0', so whilst it will try to use 1.2 it will drop back to 1.1 & then 1.0 if that is all the client supports.
Setting it to '2' only allows connections on 1.2
So set to '0' HostMon works fine. (as do clients) set to '1' or '2' Hostmon times out whilst client connect fine.
So with TLS set to '0' the hostmon test works and this is what I see on the Filezilla server logs.
Connecting to server localhost:14147...
Connected, waiting for authentication
Logged on
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> TLS connection established
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> USER sysadmin
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> 331 Password required for sysadmin
(000001)01/07/2021 13:32:18 - (not logged in) (192.168.16.7)> PASS **********
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> 230 Logged on
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> QUIT
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> 221 Goodbye
(000001)01/07/2021 13:32:18 - sysadmin (192.168.16.7)> disconnected.
Changing the acceptable TLS level to '1' or '2' then causes HM to fail, as this log shows.
(000004)01/07/2021 13:37:09 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000001)01/07/2021 13:37:16 - (not logged in) (192.168.16.7)> 421 Login time exceeded. Closing control connection.
(000001)01/07/2021 13:37:16 - (not logged in) (192.168.16.7)> disconnected.
(000002)01/07/2021 13:37:27 - (not logged in) (82.69.249.110)> 421 Login time exceeded. Closing control connection.
(000002)01/07/2021 13:37:27 - (not logged in) (82.69.249.110)> disconnected.
It seems no TLS session is set up...
Normal FTPs clients still connect OK.
If I force a client (WinSCP for example) to use *only* 1.2 and set the server to *only* offer 1.1 then the connection fails as expected.
I'd like to get the HM issue resolved as I'd like to phase out <1.2 but this is not a 'show stopper'.
Is there a way of looking at the HM 'connection' logs to see what TLS versions it is trying to use?
No rush... low priority.
Thanks |
|
Back to top |
|
|
david.matthewson
Joined: 24 Oct 2006 Posts: 78
|
Posted: Thu Jul 01, 2021 6:49 am Post subject: |
|
|
Oh yes, and IE on the server hosting HM is set to use TLS 1.0,1.1 & 1.2.
1.3 is not an option. |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12808 Location: USA
|
Posted: Thu Jul 01, 2021 7:14 am Post subject: |
|
|
Looks like server uses Implicit mode.
HostMonitor uses Explicit mode when target port is not specified or plain mode port 21 is used.
So, if your server listens on port 990, just specify the port in the path, HostMonitor will switch to Implicit mode.
ftps://sysadmin@ftp.servername.net:990/donotdelete.txt
Regards
Alex |
|
Back to top |
|
|
david.matthewson
Joined: 24 Oct 2006 Posts: 78
|
Posted: Thu Jul 01, 2021 9:02 am Post subject: |
|
|
Thanks Alex
No joy I'm afraid.
The logs look like this:
Connecting to server localhost:14147...
Connected, waiting for authentication
Logged on
(000001)01/07/2021 15:56:14 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000001)01/07/2021 15:57:06 - (not logged in) (192.168.16.7)> 421 Server is going offline
(000001)01/07/2021 15:57:06 - (not logged in) (192.168.16.7)> disconnected.
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> Connected on port 990, sending welcome message...
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> TLS connection established
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> USER sysadmin
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> 331 Password required for sysadmin
(000006)01/07/2021 16:01:30 - (not logged in) (192.168.16.7)> PASS **********
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 230 Logged on
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> PASV
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 227 Entering Passive Mode (192,168,16,16,19,191)
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> NLST donotdelete.txt
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 521 PROT P required
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> QUIT
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> 221 Goodbye
(000006)01/07/2021 16:01:30 - sysadmin (192.168.16.7)> disconnected.
The first is forced by Filezilla to use TL1.2 and it hangs - and last one is set to use 'any TLS' and works fine.
Happy to try anything else...
David |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12808 Location: USA
|
Posted: Thu Jul 01, 2021 10:26 pm Post subject: |
|
|
Looks like we found solution, will modify our code in the next version.
We are still checking other options but probably there is no solution for old version 12.32
Regards
Alex |
|
Back to top |
|
|
david.matthewson
Joined: 24 Oct 2006 Posts: 78
|
Posted: Fri Jul 02, 2021 2:06 am Post subject: |
|
|
Brilliant! Thanks Alex - I need to get quotations for u/g our stock of HM installations to the current version in any case. |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12808 Location: USA
|
Posted: Mon Jul 05, 2021 8:21 am Post subject: |
|
|
So far we modified RMA x64 version so it can perform this test.
RMA x86 and HostMonitor uses old code.
Regards
Alex |
|
Back to top |
|
|
david.matthewson
Joined: 24 Oct 2006 Posts: 78
|
Posted: Mon Jul 05, 2021 8:43 am Post subject: |
|
|
Thanks for the update Alex
brgds
David |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12808 Location: USA
|
|
Back to top |
|
|
david.matthewson
Joined: 24 Oct 2006 Posts: 78
|
Posted: Wed Jan 12, 2022 10:45 am Post subject: Secure FTP |
|
|
Thanks Alex
Currently running 13.08 and I had not read the change log - duh! I'll set up the tests.
Many thanks
David |
|
Back to top |
|
|
|