Bug 1281493 - Unable to use TLSv1.1 or TLSv1.2 protocol when TLSProtocol is set to TLSv1
Unable to use TLSv1.1 or TLSv1.2 protocol when TLSProtocol is set to TLSv1
Status: ON_QA
Product: Fedora EPEL
Classification: Fedora
Component: proftpd (Show other bugs)
el6
All Linux
unspecified Severity high
: ---
: ---
Assigned To: Paul Howarth
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-12 11:16 EST by Olivier BONHOMME
Modified: 2016-07-02 11:18 EDT (History)
3 users (show)

See Also:
Fixed In Version: proftpd-1.3.3g-7.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-01 13:24:12 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Olivier BONHOMME 2015-11-12 11:16:03 EST
Description of problem:

When enabling TLSProtocol option value with TLSv1 parameter which is the one available on the proftpd version available on EPEL 6, only TLSv1 protocol is usable => It is not possible to connect to proftpd using TLSv1.1 or TLSv1.2

The only way allowing TLSv1.2 to work is to remove the TLSProtocol option but in that use case, SSLv23 is usable which can be a major security issue.

Version-Release number of selected component (if applicable): 1.3.3g-el6

This seems related to this bug : http://bugs.proftpd.org/show_bug.cgi?id=4024. 

Do you think it would be possible to backport that patch into the EPEL 6 proftpd version in order to have a good TLS configuration management ?

How reproducible:

1.Enable TLSProtocols with the TLSv1 value into the proftpd.conf file.
2.Try to make a connection using openssl s_client forcing using tls1_2 parameter


Actual results:

Unable to negotiate the TLSv1.2 connection. Same results with TLSv1.1

Expected results:

With TLSProtocols restricted to TLSv1 it should be possible to do a TLSv1.1 or a TLSv1.2 connection.
Additional info:
Comment 1 Paul Howarth 2015-11-12 13:51:20 EST
Hmm, this looks to be non-trivial.

The version of mod_tls included with EL-6's proftpd-1.3.3g is so old that it doesn't have any knowledge of TLSv1.1 or TLSv1.2, so it would need substantial patching to rectify that.

I've also considered updating mod_tls to a more recent version, but ones that know about newer TLS versions also seem to want to build against proftpd 1.3.4 or 1.3.5 rather than 1.3.3.

Not sure what to do about this at the moment.
Comment 2 Olivier BONHOMME 2015-11-12 16:11:00 EST
Hello Paul,

Maybe I'm going to say something stupid since I don't know proftpd as good as you but if I don't enable the TLSProtocol option and try to make an openssl connection forcing TLSv1.2 or TLSv1.1 mode, it works.

So for me TLSv1.2 can work with proftpd 1.3.3g. So wouldn't it possible to have just a workaround allowing TLSv1.1 and TLSv1.2 connections when TLSProtocol is set to TLSv1 ?
Comment 3 Paul Howarth 2015-11-13 10:46:50 EST
OK, so maybe it wasn't that hard. Please try this scratch build:

http://koji.fedoraproject.org/koji/taskinfo?taskID=11821089

I've left the defaults unchanged so as not to break any existing set-ups, and I've also left the meaning of "TLSv1" unchanged. So what you'll want is:

TLSProtocol TLSv1.1
or
TLSProtocol TLSv1.2
or
TLSProtocol TLSv1.1 TLSv1.2
Comment 4 Olivier BONHOMME 2015-11-16 05:46:57 EST
Hello Paul,

I just downloaded and installed your test package. Here are the results : 

- With TLSProtocol TLSv1
  * Client Connection with TLSv1.1: KO
  * Client Connection with TLSv1.2: KO
  * Client Connection with TLSv1 : OK

- With TLSProtocol TLSv1.1
  * Client Connection with TLSv1.1: OK
  * Client Connection with TLSv1.2: KO
  * Client Connection with TLSv1 : KO

- With TLSProtocol TLSv1.2
  * Client Connection with TLSv1.1: KO
  * Client Connection with TLSv1.2: OK
  * Client Connection with TLSv1 : KO

- With TLSProtocol TLSv1.1 TLSv1.28
  * Client Connection with TLSv1.1: OK
  * Client Connection with TLSv1.2: OK
  * Client Connection with TLSv1 : KO

- With TLSProtocol TLSv1 TLSv1.1 TLSv1.2
  * Client Connection with TLSv1.1: OK
  * Client Connection with TLSv1.2: OK
  * Client Connection with TLSv1 : OK

So these results seems OK for me and your proftpd version has the behaviour I was waiting for.
Comment 5 Fedora Update System 2015-11-16 08:35:59 EST
proftpd-1.3.3g-7.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-a57010c117
Comment 6 Fedora Update System 2015-11-16 11:21:17 EST
proftpd-1.3.3g-7.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update proftpd'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-a57010c117
Comment 7 Fedora Update System 2015-12-01 13:24:10 EST
proftpd-1.3.3g-7.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2016-03-15 07:08:26 EDT
proftpd-1.3.3g-5.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846
Comment 9 Fedora Update System 2016-03-15 22:16:44 EDT
proftpd-1.3.3g-5.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846
Comment 10 Fedora Update System 2016-06-11 06:34:06 EDT
proftpd-1.3.3g-6.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846
Comment 11 Fedora Update System 2016-06-12 19:17:02 EDT
proftpd-1.3.3g-6.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846
Comment 12 Fedora Update System 2016-07-02 11:18:23 EDT
proftpd-1.3.3g-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.