Hello everybody, I am writing on that mailing list because I have an issue using lftp and I would love to have more infos about features available on the LFTP version provided by CentOS 6. I try to connect to a ftp server in secured mode using FTPS explicit and I would love to use TLSv1.2. After several tries, I understood that the TLS negociation was not possible using TLSv1.2 (It works only with TLSv1.1) but my issue is I don't understand why : - The GNU TLS Library provided by CentOS is TLSv1.2 compliant. I can use gnutls-cli in order to make a TLSv1.2 connection - It also works pefectly with an openssl client, so it's not a server side issue. - I don't see anything in the lftp changelog or features list saying that lftp is not compliant with TLSv1.2. So my question is : Can lftp provided by CentOS (of course last version in the 6.x branch), do TLSv1.2 connection ? If it is not possible, I can deal with it but I'm curious to know if it is a feature or a bug. Indeed if it's a bug it could be interesting to submit an issue for a potential resolution. Thanks for your answers Regards, Olivier Bonhomme
At least the latest version supports tlsv1.2 -- maybe packaged version is a bit old? Eero 2016-08-02 14:11 GMT+03:00 Olivier BONHOMME <obonhomme at nerim.net>:> Hello everybody, > > I am writing on that mailing list because I have an issue using lftp and I > would > love to have more infos about features available on the LFTP version > provided by > CentOS 6. > > I try to connect to a ftp server in secured mode using FTPS explicit and I > would > love to use TLSv1.2. > > After several tries, I understood that the TLS negociation was not possible > using TLSv1.2 (It works only with TLSv1.1) but my issue is I don't > understand > why : > - The GNU TLS Library provided by CentOS is TLSv1.2 compliant. I can use > gnutls-cli in order to make a TLSv1.2 connection > - It also works pefectly with an openssl client, so it's not a server side > issue. > - I don't see anything in the lftp changelog or features list saying that > lftp > is not compliant with TLSv1.2. > > So my question is : Can lftp provided by CentOS (of course last version in > the > 6.x branch), do TLSv1.2 connection ? If it is not possible, I can deal with > it but I'm curious to know if it is a feature or a bug. Indeed if it's a > bug it > could be interesting to submit an issue for a potential resolution. > > Thanks for your answers > > Regards, > Olivier Bonhomme > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
On 08/02/2016 06:11 AM, Olivier BONHOMME wrote:> Hello everybody, > > I am writing on that mailing list because I have an issue using lftp and I would > love to have more infos about features available on the LFTP version provided by > CentOS 6. > > I try to connect to a ftp server in secured mode using FTPS explicit and I would > love to use TLSv1.2. > > After several tries, I understood that the TLS negociation was not possible > using TLSv1.2 (It works only with TLSv1.1) but my issue is I don't understand > why : > - The GNU TLS Library provided by CentOS is TLSv1.2 compliant. I can use > gnutls-cli in order to make a TLSv1.2 connection > - It also works pefectly with an openssl client, so it's not a server side > issue. > - I don't see anything in the lftp changelog or features list saying that lftp > is not compliant with TLSv1.2. > > So my question is : Can lftp provided by CentOS (of course last version in the > 6.x branch), do TLSv1.2 connection ? If it is not possible, I can deal with > it but I'm curious to know if it is a feature or a bug. Indeed if it's a bug it > could be interesting to submit an issue for a potential resolution. > > Thanks for your answersThe latest lftp in CentOS-6.8 is version: lftp-4.0.9-6.el6_8.2. It was built on July 12, 2016. That was built with nss-3.21.0-8.el6 in the build root. If you have the latest installed, it would seem that it should be able to work. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160802/ea96ba7e/attachment.sig>
My good man <g> Olivier BONHOMME wrote:> Hello everybody, > > I am writing on that mailing list because I have an issue using lftp and I > would > love to have more infos about features available on the LFTP version > provided by > CentOS 6. > > I try to connect to a ftp server in secured mode using FTPS explicit and I > would love to use TLSv1.2. > > After several tries, I understood that the TLS negociation was not > possible using TLSv1.2 (It works only with TLSv1.1) but my issue is I don't > understand why :<snip> Googling on tls1.2, I see posts within the last year or so of folks discussing older browsers on the user side that have not been upgraded in too long, and so are not tls 1.2 capable. mark
On 02/08/2016 12:11, Olivier BONHOMME wrote:> So my question is : Can lftp provided by CentOS (of course last version in the > 6.x branch), do TLSv1.2 connection ?It may not be related, but in the past I have needed to rebuild libNSS and Curl in CentOS 6 due to an upstream patch the explicitly disabled TLSv1.2 in the default list of supported versions. As I recall, this was done to maintain support for servers that could not work when the negotiation of SSL/TLS was longer than X bytes. Unfortunately, I can't find the bug I referenced at the time. If it's like Curl, you might be able to explicitly enable TLSv1.2 on the command line, else I suspect you could recompile the source RPM, removing patches if required.
On Tue, Aug 02, 2016 at 07:36:02AM -0500, Johnny Hughes wrote:> The latest lftp in CentOS-6.8 is version: lftp-4.0.9-6.el6_8.2. It was > built on July 12, 2016. > > That was built with nss-3.21.0-8.el6 in the build root. > > If you have the latest installed, it would seem that it should be able > to work. >Hello Johnny, Thanks for your answer. On my system, I'm up-to-date for lftp version. It's also the same for gnutls. However, I feel about confused : You mentioned that lftp has been built with nss. But for me, lftp uses GNUTLS for crypto operation and not NSS. Did I miss something ? Regards, Olivier
On Tue, Aug 02, 2016 at 02:13:31PM +0100, Tom Grace wrote:> On 02/08/2016 12:11, Olivier BONHOMME wrote: > > So my question is : Can lftp provided by CentOS (of course last version in the > > 6.x branch), do TLSv1.2 connection ? > It may not be related, but in the past I have needed to rebuild libNSS > and Curl in CentOS 6 due to an upstream patch the explicitly disabled > TLSv1.2 in the default list of supported versions. > As I recall, this was done to maintain support for servers that could > not work when the negotiation of SSL/TLS was longer than X bytes. > Unfortunately, I can't find the bug I referenced at the time. > > If it's like Curl, you might be able to explicitly enable TLSv1.2 on the > command line, else I suspect you could recompile the source RPM, > removing patches if required.Hello Tom, It's indeed an interesting way. I didn't think about something just disabled. I browsed, gnutls rpm changelog and I saw this : * Thu May 3 2012 Tomas Mraz <tmraz at redhat.com> 2.8.5-7 - more TLS-1.2 compatibility fixes (TLS-1.2 stays disabled by default) So TLS 1.2 seems there but disabled by default : So maybe lftp can't use it because it can't force it. I tried browsing the code and RPM patches but I was unable to find where this disable thing is. Does anybody have an idea ? Regards, Olivier