Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Re: FTP explicit TLS connection problem with some minimal TLS versions - SHA1 problem

Thanks for sharing your solution!
vankom

Re: FTP explicit TLS connection problem with some minimal TLS versions - SHA1 problem

Just final confirmation:
After changing server certificate from SHA1 to SHA256 is connection working in all version mentioned above.
Thank you, this case is solved.
vankom

Re: FTP explicit TLS connection problem with some minimal TLS versions - SHA1 problem

I found cause (tcpdump analysis)
WinSCP Version 6.3.3 TLSv1.2-TLSv1.2.log error
-Signature Hash Algorithms (23 algorithms)
-SHA1 support is missing
WinSCP Version 6.3.3 TLSv1.1-TLSv1.2.log working
-Signature Hash Algorithms (26 algorithms)
-SHA1 is supported (algorithms 0x201, 0x202, 0x203)
It is caused by OpenSSL 3.1.3
* X509 certificates signed using SHA1 are no longer allowed at security level 1 and above.
Solution: We make new server certificate with current security standards.
Thank you for conversation.
vankom

Re: FTP explicit TLS connection problem with some minimal TLS versions

I can not give you access. I make pcaps to compare differencies.
Nemozem ti dat pristup. Spravim pcaps, aby sa zistili rozdiely.
martin

Re: FTP explicit TLS connection problem with some minimal TLS versions

Thanks. Is you server publicly accessible on the Internet? Can we get a full hostname, so that we can test on our own? (no credentials are needed)
vankom

FTP explicit TLS connection problem with some minimal TLS versions

Test logs (version TLSmin-TLSmax)
WinSCP Version 5.21.8 TLSv1.2-TLSv1.2.log working
WinSCP Version 6.1.2 TLSv1.2-TLSv1.2.log working
WinSCP Version 6.2 beta TLSv1.2-TLSv1.2.log error
WinSCP Version 6.3.3 TLSv1.2-TLSv1.2.log error
WinSCP Version 6.3.3 TLSv1.1-TLSv1.2.log working
I found that problem is since version 6.2 beta.
If I compare log 6.1.2 TLSv1.2-TLSv1.2 and 6.3.3 TLSv1.1-TLSv1.2 they look identical.
Why is 6.3.3 TLSv1.2-TLSv1.2 not working?
martin

Re: FTP explicit TLS connection problem with some minimal TLS versions

Please attach a full session log file showing the problem (using the latest version of WinSCP).

To generate the session log file, enable logging, log in to your server and do the operation and only the operation that causes the error. Submit the log with your post as an attachment. Note that passwords and passphrases not stored in the log. You may want to remove other data you consider sensitive though, such as host names, IP addresses, account names or file names (unless they are relevant to the problem). If you do not want to post the log publicly, you can mark the attachment as private.
vankom

FTP explicit TLS connection problem with some minimal TLS versions

Server closed connection is problem.
martin

Re: FTP explicit TLS connection problem with some minimal TLS versions

Of course that I've looked at them. But I still do not understand it. Please explain.
vankom

FTP explicit TLS connection problem with some minimal TLS versions

Look at first and second post.
martin

Re: FTP explicit TLS connection problem with some minimal TLS versions

I'm sorry, but I do not understand your last post. Can you please try again? Can you describe step-by-step what are you doing and how did it go wrong?
vankom

FTP explicit TLS connection problem with some minimal TLS versions

I think thist part of setting-vs-using need rework. Also missing default value in RAW options is confused (if you setup non-default value, then configuration options is in config). Developers, please, take a look at this.
vankom

winscp5.21.8portable (win10):
test1: min version TLS 1.0, wireshark reports Client Hello TLSv12, connection OK
test2: min version TLS 1.1, wireshark reports Client Hello TLSv12, connection OK
test3: min version TLS 1.2, wireshark reports Client Hello TLSv12, connection OK
test4: min version TLS 1.3, wireshark reports Client Hello TLSv1, Server closed conenction (no shared ciphers)
vankom

FTP explicit TLS connection problem with some minimal TLS versions

winscp632 (win10): default setting for explicit TLS is Minimal version TLS 1.2 (test3)
test1: min version TLS 1.0, wireshark reports Client Hello TLSv12 connection OK
test2: min version TLS 1.1, wireshark reports Client Hello TLSv12 connection OK
test3: min version TLS 1.2, wireshark reports Client Hello TLSv1, Server closed connection (no shared ciphers)
test4: min version TLS 1.3, wireshark reports Client Hello TLSv1, Server closed conenction (no shared ciphers)
Could you explain, why wireshark reports Client Hello TLSv1, when I ser TLS 1.2/1.3 ?