Description of problem: When enabling TLSProtocol option value with TLSv1 parameter which is the one available on the proftpd version available on EPEL 6, only TLSv1 protocol is usable => It is not possible to connect to proftpd using TLSv1.1 or TLSv1.2 The only way allowing TLSv1.2 to work is to remove the TLSProtocol option but in that use case, SSLv23 is usable which can be a major security issue. Version-Release number of selected component (if applicable): 1.3.3g-el6 This seems related to this bug : http://bugs.proftpd.org/show_bug.cgi?id=4024. Do you think it would be possible to backport that patch into the EPEL 6 proftpd version in order to have a good TLS configuration management ? How reproducible: 1.Enable TLSProtocols with the TLSv1 value into the proftpd.conf file. 2.Try to make a connection using openssl s_client forcing using tls1_2 parameter Actual results: Unable to negotiate the TLSv1.2 connection. Same results with TLSv1.1 Expected results: With TLSProtocols restricted to TLSv1 it should be possible to do a TLSv1.1 or a TLSv1.2 connection. Additional info:
Hmm, this looks to be non-trivial. The version of mod_tls included with EL-6's proftpd-1.3.3g is so old that it doesn't have any knowledge of TLSv1.1 or TLSv1.2, so it would need substantial patching to rectify that. I've also considered updating mod_tls to a more recent version, but ones that know about newer TLS versions also seem to want to build against proftpd 1.3.4 or 1.3.5 rather than 1.3.3. Not sure what to do about this at the moment.
Hello Paul, Maybe I'm going to say something stupid since I don't know proftpd as good as you but if I don't enable the TLSProtocol option and try to make an openssl connection forcing TLSv1.2 or TLSv1.1 mode, it works. So for me TLSv1.2 can work with proftpd 1.3.3g. So wouldn't it possible to have just a workaround allowing TLSv1.1 and TLSv1.2 connections when TLSProtocol is set to TLSv1 ?
OK, so maybe it wasn't that hard. Please try this scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=11821089 I've left the defaults unchanged so as not to break any existing set-ups, and I've also left the meaning of "TLSv1" unchanged. So what you'll want is: TLSProtocol TLSv1.1 or TLSProtocol TLSv1.2 or TLSProtocol TLSv1.1 TLSv1.2
Hello Paul, I just downloaded and installed your test package. Here are the results : - With TLSProtocol TLSv1 * Client Connection with TLSv1.1: KO * Client Connection with TLSv1.2: KO * Client Connection with TLSv1 : OK - With TLSProtocol TLSv1.1 * Client Connection with TLSv1.1: OK * Client Connection with TLSv1.2: KO * Client Connection with TLSv1 : KO - With TLSProtocol TLSv1.2 * Client Connection with TLSv1.1: KO * Client Connection with TLSv1.2: OK * Client Connection with TLSv1 : KO - With TLSProtocol TLSv1.1 TLSv1.28 * Client Connection with TLSv1.1: OK * Client Connection with TLSv1.2: OK * Client Connection with TLSv1 : KO - With TLSProtocol TLSv1 TLSv1.1 TLSv1.2 * Client Connection with TLSv1.1: OK * Client Connection with TLSv1.2: OK * Client Connection with TLSv1 : OK So these results seems OK for me and your proftpd version has the behaviour I was waiting for.
proftpd-1.3.3g-7.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-a57010c117
proftpd-1.3.3g-7.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'yum --enablerepo=epel-testing update proftpd' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-a57010c117
proftpd-1.3.3g-7.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
proftpd-1.3.3g-5.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846
proftpd-1.3.3g-5.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846
proftpd-1.3.3g-6.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846
proftpd-1.3.3g-6.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846
proftpd-1.3.3g-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.