Hello everybody,
I am writing on that mailing list because I have an issue using lftp and I would love to have more infos about features available on the LFTP version provided by CentOS 6.
I try to connect to a ftp server in secured mode using FTPS explicit and I would love to use TLSv1.2.
After several tries, I understood that the TLS negociation was not possible using TLSv1.2 (It works only with TLSv1.1) but my issue is I don't understand why : - The GNU TLS Library provided by CentOS is TLSv1.2 compliant. I can use gnutls-cli in order to make a TLSv1.2 connection - It also works pefectly with an openssl client, so it's not a server side issue. - I don't see anything in the lftp changelog or features list saying that lftp is not compliant with TLSv1.2.
So my question is : Can lftp provided by CentOS (of course last version in the 6.x branch), do TLSv1.2 connection ? If it is not possible, I can deal with it but I'm curious to know if it is a feature or a bug. Indeed if it's a bug it could be interesting to submit an issue for a potential resolution.
Thanks for your answers
Regards, Olivier Bonhomme
At least the latest version supports tlsv1.2 -- maybe packaged version is a bit old?
Eero
2016-08-02 14:11 GMT+03:00 Olivier BONHOMME obonhomme@nerim.net:
Hello everybody,
I am writing on that mailing list because I have an issue using lftp and I would love to have more infos about features available on the LFTP version provided by CentOS 6.
I try to connect to a ftp server in secured mode using FTPS explicit and I would love to use TLSv1.2.
After several tries, I understood that the TLS negociation was not possible using TLSv1.2 (It works only with TLSv1.1) but my issue is I don't understand why :
- The GNU TLS Library provided by CentOS is TLSv1.2 compliant. I can use gnutls-cli in order to make a TLSv1.2 connection
- It also works pefectly with an openssl client, so it's not a server side issue.
- I don't see anything in the lftp changelog or features list saying that
lftp is not compliant with TLSv1.2.
So my question is : Can lftp provided by CentOS (of course last version in the 6.x branch), do TLSv1.2 connection ? If it is not possible, I can deal with it but I'm curious to know if it is a feature or a bug. Indeed if it's a bug it could be interesting to submit an issue for a potential resolution.
Thanks for your answers
Regards, Olivier Bonhomme _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 08/02/2016 06:11 AM, Olivier BONHOMME wrote:
Hello everybody,
I am writing on that mailing list because I have an issue using lftp and I would love to have more infos about features available on the LFTP version provided by CentOS 6.
I try to connect to a ftp server in secured mode using FTPS explicit and I would love to use TLSv1.2.
After several tries, I understood that the TLS negociation was not possible using TLSv1.2 (It works only with TLSv1.1) but my issue is I don't understand why :
- The GNU TLS Library provided by CentOS is TLSv1.2 compliant. I can use gnutls-cli in order to make a TLSv1.2 connection
- It also works pefectly with an openssl client, so it's not a server side issue.
- I don't see anything in the lftp changelog or features list saying that lftp is not compliant with TLSv1.2.
So my question is : Can lftp provided by CentOS (of course last version in the 6.x branch), do TLSv1.2 connection ? If it is not possible, I can deal with it but I'm curious to know if it is a feature or a bug. Indeed if it's a bug it could be interesting to submit an issue for a potential resolution.
Thanks for your answers
The latest lftp in CentOS-6.8 is version: lftp-4.0.9-6.el6_8.2. It was built on July 12, 2016.
That was built with nss-3.21.0-8.el6 in the build root.
If you have the latest installed, it would seem that it should be able to work.
On Tue, Aug 02, 2016 at 07:36:02AM -0500, Johnny Hughes wrote:
The latest lftp in CentOS-6.8 is version: lftp-4.0.9-6.el6_8.2. It was built on July 12, 2016.
That was built with nss-3.21.0-8.el6 in the build root.
If you have the latest installed, it would seem that it should be able to work.
Hello Johnny,
Thanks for your answer. On my system, I'm up-to-date for lftp version. It's also the same for gnutls.
However, I feel about confused : You mentioned that lftp has been built with nss. But for me, lftp uses GNUTLS for crypto operation and not NSS.
Did I miss something ?
Regards, Olivier
On 08/02/2016 09:43 AM, Olivier BONHOMME wrote:
On Tue, Aug 02, 2016 at 07:36:02AM -0500, Johnny Hughes wrote:
The latest lftp in CentOS-6.8 is version: lftp-4.0.9-6.el6_8.2. It was built on July 12, 2016.
That was built with nss-3.21.0-8.el6 in the build root.
If you have the latest installed, it would seem that it should be able to work.
Hello Johnny,
Thanks for your answer. On my system, I'm up-to-date for lftp version. It's also the same for gnutls.
However, I feel about confused : You mentioned that lftp has been built with nss. But for me, lftp uses GNUTLS for crypto operation and not NSS.
Did I miss something ?
I just listed the nss in the build root at the time of the build. It is built against gnutls-devel and that version was :
gnutls-devel x86_64 2.8.5-19.el6_7
My good man <g>
Olivier BONHOMME wrote:
Hello everybody,
I am writing on that mailing list because I have an issue using lftp and I would love to have more infos about features available on the LFTP version provided by CentOS 6.
I try to connect to a ftp server in secured mode using FTPS explicit and I would love to use TLSv1.2.
After several tries, I understood that the TLS negociation was not possible using TLSv1.2 (It works only with TLSv1.1) but my issue is I don't understand why :
<snip> Googling on tls1.2, I see posts within the last year or so of folks discussing older browsers on the user side that have not been upgraded in too long, and so are not tls 1.2 capable.
mark
On 02/08/2016 12:11, Olivier BONHOMME wrote:
So my question is : Can lftp provided by CentOS (of course last version in the 6.x branch), do TLSv1.2 connection ?
It may not be related, but in the past I have needed to rebuild libNSS and Curl in CentOS 6 due to an upstream patch the explicitly disabled TLSv1.2 in the default list of supported versions. As I recall, this was done to maintain support for servers that could not work when the negotiation of SSL/TLS was longer than X bytes. Unfortunately, I can't find the bug I referenced at the time.
If it's like Curl, you might be able to explicitly enable TLSv1.2 on the command line, else I suspect you could recompile the source RPM, removing patches if required.
On Tue, Aug 02, 2016 at 02:13:31PM +0100, Tom Grace wrote:
On 02/08/2016 12:11, Olivier BONHOMME wrote:
So my question is : Can lftp provided by CentOS (of course last version in the 6.x branch), do TLSv1.2 connection ?
It may not be related, but in the past I have needed to rebuild libNSS and Curl in CentOS 6 due to an upstream patch the explicitly disabled TLSv1.2 in the default list of supported versions. As I recall, this was done to maintain support for servers that could not work when the negotiation of SSL/TLS was longer than X bytes. Unfortunately, I can't find the bug I referenced at the time.
If it's like Curl, you might be able to explicitly enable TLSv1.2 on the command line, else I suspect you could recompile the source RPM, removing patches if required.
Hello Tom,
It's indeed an interesting way. I didn't think about something just disabled. I browsed, gnutls rpm changelog and I saw this :
* Thu May 3 2012 Tomas Mraz tmraz@redhat.com 2.8.5-7 - more TLS-1.2 compatibility fixes (TLS-1.2 stays disabled by default)
So TLS 1.2 seems there but disabled by default : So maybe lftp can't use it because it can't force it.
I tried browsing the code and RPM patches but I was unable to find where this disable thing is.
Does anybody have an idea ?
Regards, Olivier
On Tue, Aug 02, 2016 at 02:56:26PM +0000, Olivier BONHOMME wrote:
Hello Tom,
It's indeed an interesting way. I didn't think about something just disabled. I browsed, gnutls rpm changelog and I saw this :
- Thu May 3 2012 Tomas Mraz tmraz@redhat.com 2.8.5-7
- more TLS-1.2 compatibility fixes (TLS-1.2 stays disabled by default)
So TLS 1.2 seems there but disabled by default : So maybe lftp can't use it because it can't force it.
I tried browsing the code and RPM patches but I was unable to find where this disable thing is.
Does anybody have an idea ?
Hello guy,
I think i found something. If we look into the upstream source provided in the GNUTLS SRPM, we have on the file lib/gnutls_priority.c:
static const int protocol_priority[] = { /* GNUTLS_TLS1_2, -- not finalized yet! */ GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
So I guess that if even if TLS1.2 is implemented in the CentOS version, the default priority doesn't allow to use TLS1.2.
And I think that lftp doesn't allow to force this priority, that's why I can't use TLS1.2 and only at least TLS1.1.
So the question is: Is that behaviour can be considered as an lftp bug or not ?
Regards, Olivier
On Tue, Aug 02, 2016 at 03:29:07PM +0000, Olivier BONHOMME wrote:
On Tue, Aug 02, 2016 at 02:56:26PM +0000, Olivier BONHOMME wrote:
So the question is: Is that behaviour can be considered as an lftp bug or not ?
Hello again,
Just answering to myself and the list for a conclusion. lftp in CentOS uses the default priority provided by gnutls and it's not possible to override it in lftp 4.0.9 provided in CentOS 6.
Howerver, the ssl:priority feature has been implemented in lftp 4.6.2 (https://github.com/lavv17/lftp/commit/b406805d2b3d4c9a88e24363980e5717e61d09...) and there is also a backport RHEL/CentOS for CentOS 7 (https://git.centos.org/blob/rpms!lftp/373a02466b773fe2dbbfde702aec1848e006ba...)
I think it could be nice if that feature could be backported into the CentOS 6 lftp version.
Regards, Olivier
On 08/02/2016 11:00 AM, Olivier BONHOMME wrote:
On Tue, Aug 02, 2016 at 03:29:07PM +0000, Olivier BONHOMME wrote:
On Tue, Aug 02, 2016 at 02:56:26PM +0000, Olivier BONHOMME wrote:
So the question is: Is that behaviour can be considered as an lftp bug or not ?
Hello again,
Just answering to myself and the list for a conclusion. lftp in CentOS uses the default priority provided by gnutls and it's not possible to override it in lftp 4.0.9 provided in CentOS 6.
Howerver, the ssl:priority feature has been implemented in lftp 4.6.2 (https://github.com/lavv17/lftp/commit/b406805d2b3d4c9a88e24363980e5717e61d09...) and there is also a backport RHEL/CentOS for CentOS 7 (https://git.centos.org/blob/rpms!lftp/373a02466b773fe2dbbfde702aec1848e006ba...)
I think it could be nice if that feature could be backported into the CentOS 6 lftp version.
CentOS rebuilds the source code from RHEL-6. If anything is going to be backported, it would need to be backported into RHEL-6 and released, and we would then get it into CentOS-6.
-
Eero Volotinen -
Johnny Hughes -
m.roth@5-cent.us -
Olivier BONHOMME -
Tom Grace