On Tue, Aug 02, 2016 at 02:13:31PM +0100, Tom Grace wrote:> On 02/08/2016 12:11, Olivier BONHOMME wrote: > > So my question is : Can lftp provided by CentOS (of course last version in the > > 6.x branch), do TLSv1.2 connection ? > It may not be related, but in the past I have needed to rebuild libNSS > and Curl in CentOS 6 due to an upstream patch the explicitly disabled > TLSv1.2 in the default list of supported versions. > As I recall, this was done to maintain support for servers that could > not work when the negotiation of SSL/TLS was longer than X bytes. > Unfortunately, I can't find the bug I referenced at the time. > > If it's like Curl, you might be able to explicitly enable TLSv1.2 on the > command line, else I suspect you could recompile the source RPM, > removing patches if required.Hello Tom, It's indeed an interesting way. I didn't think about something just disabled. I browsed, gnutls rpm changelog and I saw this : * Thu May 3 2012 Tomas Mraz <tmraz at redhat.com> 2.8.5-7 - more TLS-1.2 compatibility fixes (TLS-1.2 stays disabled by default) So TLS 1.2 seems there but disabled by default : So maybe lftp can't use it because it can't force it. I tried browsing the code and RPM patches but I was unable to find where this disable thing is. Does anybody have an idea ? Regards, Olivier
On Tue, Aug 02, 2016 at 02:56:26PM +0000, Olivier BONHOMME wrote:> Hello Tom, > > It's indeed an interesting way. I didn't think about something just disabled. I > browsed, gnutls rpm changelog and I saw this : > > * Thu May 3 2012 Tomas Mraz <tmraz at redhat.com> 2.8.5-7 > - more TLS-1.2 compatibility fixes (TLS-1.2 stays disabled by default) > > So TLS 1.2 seems there but disabled by default : So maybe lftp can't use it > because it can't force it. > > I tried browsing the code and RPM patches but I was unable to find where this > disable thing is. > > Does anybody have an idea ?Hello guy, I think i found something. If we look into the upstream source provided in the GNUTLS SRPM, we have on the file lib/gnutls_priority.c: static const int protocol_priority[] = { /* GNUTLS_TLS1_2, -- not finalized yet! */ GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 }; So I guess that if even if TLS1.2 is implemented in the CentOS version, the default priority doesn't allow to use TLS1.2. And I think that lftp doesn't allow to force this priority, that's why I can't use TLS1.2 and only at least TLS1.1. So the question is: Is that behaviour can be considered as an lftp bug or not ? Regards, Olivier
On Tue, Aug 02, 2016 at 03:29:07PM +0000, Olivier BONHOMME wrote:> On Tue, Aug 02, 2016 at 02:56:26PM +0000, Olivier BONHOMME wrote:> So the question is: Is that behaviour can be considered as an lftp bug or not ?Hello again, Just answering to myself and the list for a conclusion. lftp in CentOS uses the default priority provided by gnutls and it's not possible to override it in lftp 4.0.9 provided in CentOS 6. Howerver, the ssl:priority feature has been implemented in lftp 4.6.2 (https://github.com/lavv17/lftp/commit/b406805d2b3d4c9a88e24363980e5717e61d0948) and there is also a backport RHEL/CentOS for CentOS 7 (https://git.centos.org/blob/rpms!lftp/373a02466b773fe2dbbfde702aec1848e006ba70/SOURCES!lftp-4.4.8-ssl-tls-restrict.patch) I think it could be nice if that feature could be backported into the CentOS 6 lftp version. Regards, Olivier