Bug 1281493
Summary: | Unable to use TLSv1.1 or TLSv1.2 protocol when TLSProtocol is set to TLSv1 | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Olivier BONHOMME <obonhomme> |
Component: | proftpd | Assignee: | Paul Howarth <paul> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | el6 | CC: | itamar, matthias, paul |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | proftpd-1.3.3g-7.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-15 18:56:01 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Olivier BONHOMME
2015-11-12 16:16:03 UTC
Hmm, this looks to be non-trivial. The version of mod_tls included with EL-6's proftpd-1.3.3g is so old that it doesn't have any knowledge of TLSv1.1 or TLSv1.2, so it would need substantial patching to rectify that. I've also considered updating mod_tls to a more recent version, but ones that know about newer TLS versions also seem to want to build against proftpd 1.3.4 or 1.3.5 rather than 1.3.3. Not sure what to do about this at the moment. Hello Paul, Maybe I'm going to say something stupid since I don't know proftpd as good as you but if I don't enable the TLSProtocol option and try to make an openssl connection forcing TLSv1.2 or TLSv1.1 mode, it works. So for me TLSv1.2 can work with proftpd 1.3.3g. So wouldn't it possible to have just a workaround allowing TLSv1.1 and TLSv1.2 connections when TLSProtocol is set to TLSv1 ? OK, so maybe it wasn't that hard. Please try this scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=11821089 I've left the defaults unchanged so as not to break any existing set-ups, and I've also left the meaning of "TLSv1" unchanged. So what you'll want is: TLSProtocol TLSv1.1 or TLSProtocol TLSv1.2 or TLSProtocol TLSv1.1 TLSv1.2 Hello Paul, I just downloaded and installed your test package. Here are the results : - With TLSProtocol TLSv1 * Client Connection with TLSv1.1: KO * Client Connection with TLSv1.2: KO * Client Connection with TLSv1 : OK - With TLSProtocol TLSv1.1 * Client Connection with TLSv1.1: OK * Client Connection with TLSv1.2: KO * Client Connection with TLSv1 : KO - With TLSProtocol TLSv1.2 * Client Connection with TLSv1.1: KO * Client Connection with TLSv1.2: OK * Client Connection with TLSv1 : KO - With TLSProtocol TLSv1.1 TLSv1.28 * Client Connection with TLSv1.1: OK * Client Connection with TLSv1.2: OK * Client Connection with TLSv1 : KO - With TLSProtocol TLSv1 TLSv1.1 TLSv1.2 * Client Connection with TLSv1.1: OK * Client Connection with TLSv1.2: OK * Client Connection with TLSv1 : OK So these results seems OK for me and your proftpd version has the behaviour I was waiting for. proftpd-1.3.3g-7.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-a57010c117 proftpd-1.3.3g-7.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'yum --enablerepo=epel-testing update proftpd' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-a57010c117 proftpd-1.3.3g-7.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. proftpd-1.3.3g-5.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846 proftpd-1.3.3g-5.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846 proftpd-1.3.3g-6.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846 proftpd-1.3.3g-6.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846 proftpd-1.3.3g-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. |