Bug 1281493 - Unable to use TLSv1.1 or TLSv1.2 protocol when TLSProtocol is set to TLSv1
Summary: Unable to use TLSv1.1 or TLSv1.2 protocol when TLSProtocol is set to TLSv1
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: proftpd
Version: el6
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Paul Howarth
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-12 16:16 UTC by Olivier BONHOMME
Modified: 2019-08-15 18:56 UTC (History)
3 users (show)

Fixed In Version: proftpd-1.3.3g-7.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-15 18:56:01 UTC


Attachments (Terms of Use)

Description Olivier BONHOMME 2015-11-12 16:16:03 UTC
Description of problem:

When enabling TLSProtocol option value with TLSv1 parameter which is the one available on the proftpd version available on EPEL 6, only TLSv1 protocol is usable => It is not possible to connect to proftpd using TLSv1.1 or TLSv1.2

The only way allowing TLSv1.2 to work is to remove the TLSProtocol option but in that use case, SSLv23 is usable which can be a major security issue.

Version-Release number of selected component (if applicable): 1.3.3g-el6

This seems related to this bug : http://bugs.proftpd.org/show_bug.cgi?id=4024. 

Do you think it would be possible to backport that patch into the EPEL 6 proftpd version in order to have a good TLS configuration management ?

How reproducible:

1.Enable TLSProtocols with the TLSv1 value into the proftpd.conf file.
2.Try to make a connection using openssl s_client forcing using tls1_2 parameter


Actual results:

Unable to negotiate the TLSv1.2 connection. Same results with TLSv1.1

Expected results:

With TLSProtocols restricted to TLSv1 it should be possible to do a TLSv1.1 or a TLSv1.2 connection.
Additional info:

Comment 1 Paul Howarth 2015-11-12 18:51:20 UTC
Hmm, this looks to be non-trivial.

The version of mod_tls included with EL-6's proftpd-1.3.3g is so old that it doesn't have any knowledge of TLSv1.1 or TLSv1.2, so it would need substantial patching to rectify that.

I've also considered updating mod_tls to a more recent version, but ones that know about newer TLS versions also seem to want to build against proftpd 1.3.4 or 1.3.5 rather than 1.3.3.

Not sure what to do about this at the moment.

Comment 2 Olivier BONHOMME 2015-11-12 21:11:00 UTC
Hello Paul,

Maybe I'm going to say something stupid since I don't know proftpd as good as you but if I don't enable the TLSProtocol option and try to make an openssl connection forcing TLSv1.2 or TLSv1.1 mode, it works.

So for me TLSv1.2 can work with proftpd 1.3.3g. So wouldn't it possible to have just a workaround allowing TLSv1.1 and TLSv1.2 connections when TLSProtocol is set to TLSv1 ?

Comment 3 Paul Howarth 2015-11-13 15:46:50 UTC
OK, so maybe it wasn't that hard. Please try this scratch build:

http://koji.fedoraproject.org/koji/taskinfo?taskID=11821089

I've left the defaults unchanged so as not to break any existing set-ups, and I've also left the meaning of "TLSv1" unchanged. So what you'll want is:

TLSProtocol TLSv1.1
or
TLSProtocol TLSv1.2
or
TLSProtocol TLSv1.1 TLSv1.2

Comment 4 Olivier BONHOMME 2015-11-16 10:46:57 UTC
Hello Paul,

I just downloaded and installed your test package. Here are the results : 

- With TLSProtocol TLSv1
  * Client Connection with TLSv1.1: KO
  * Client Connection with TLSv1.2: KO
  * Client Connection with TLSv1 : OK

- With TLSProtocol TLSv1.1
  * Client Connection with TLSv1.1: OK
  * Client Connection with TLSv1.2: KO
  * Client Connection with TLSv1 : KO

- With TLSProtocol TLSv1.2
  * Client Connection with TLSv1.1: KO
  * Client Connection with TLSv1.2: OK
  * Client Connection with TLSv1 : KO

- With TLSProtocol TLSv1.1 TLSv1.28
  * Client Connection with TLSv1.1: OK
  * Client Connection with TLSv1.2: OK
  * Client Connection with TLSv1 : KO

- With TLSProtocol TLSv1 TLSv1.1 TLSv1.2
  * Client Connection with TLSv1.1: OK
  * Client Connection with TLSv1.2: OK
  * Client Connection with TLSv1 : OK

So these results seems OK for me and your proftpd version has the behaviour I was waiting for.

Comment 5 Fedora Update System 2015-11-16 13:35:59 UTC
proftpd-1.3.3g-7.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-a57010c117

Comment 6 Fedora Update System 2015-11-16 16:21:17 UTC
proftpd-1.3.3g-7.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update proftpd'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-a57010c117

Comment 7 Fedora Update System 2015-12-01 18:24:10 UTC
proftpd-1.3.3g-7.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2016-03-15 11:08:26 UTC
proftpd-1.3.3g-5.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846

Comment 9 Fedora Update System 2016-03-16 02:16:44 UTC
proftpd-1.3.3g-5.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846

Comment 10 Fedora Update System 2016-06-11 10:34:06 UTC
proftpd-1.3.3g-6.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846

Comment 11 Fedora Update System 2016-06-12 23:17:02 UTC
proftpd-1.3.3g-6.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846

Comment 12 Fedora Update System 2016-07-02 15:18:23 UTC
proftpd-1.3.3g-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.