TLSv1.2 Support For Lftp On CentOS 6.x

Home » CentOS » TLSv1.2 Support For Lftp On CentOS 6.x
CentOS 10 Comments

Hello everybody,

I am writing on that mailing list because I have an issue using lftp and I would love to have more infos about features available on the LFTP version provided by CentOS 6.

I try to connect to a ftp server in secured mode using FTPS explicit and I would love to use TLSv1.2.

After several tries, I understood that the TLS negociation was not possible using TLSv1.2 (It works only with TLSv1.1) but my issue is I don’t understand why :
– The GNU TLS Library provided by CentOS is TLSv1.2 compliant. I can use
gnutls-cli in order to make a TLSv1.2 connection
– It also works pefectly with an openssl client, so it’s not a server side
issue.
– I don’t see anything in the lftp changelog or features list saying that lftp
is not compliant with TLSv1.2.

So my question is : Can lftp provided by CentOS (of course last version in the
6.x branch), do TLSv1.2 connection ? If it is not possible, I can deal with it but I’m curious to know if it is a feature or a bug. Indeed if it’s a bug it could be interesting to submit an issue for a potential resolution.

Thanks for your answers

Regards, Olivier Bonhomme

10 thoughts on - TLSv1.2 Support For Lftp On CentOS 6.x

  • At least the latest version supports tlsv1.2 — maybe packaged version is a bit old?

    Eero

    2016-08-02 14:11 GMT+03:00 Olivier BONHOMME :

  • –XaSI3DvtCnaWa0QlGSeCUg9fEj9hT0Weg Content-Type: text/plain; charset=windows-1252
    Content-Transfer-Encoding: quoted-printable

    The latest lftp in CentOS-6.8 is version: lftp-4.0.9-6.el6_8.2. It was built on July 12, 2016.

    That was built with nss-3.21.0-8.el6 in the build root.

    If you have the latest installed, it would seem that it should be able to work.

    –XaSI3DvtCnaWa0QlGSeCUg9fEj9hT0Weg

  • My good man

    Olivier BONHOMME wrote:

    Googling on tls1.2, I see posts within the last year or so of folks discussing older browsers on the user side that have not been upgraded in too long, and so are not tls 1.2 capable.

    mark

  • It may not be related, but in the past I have needed to rebuild libNSS
    and Curl in CentOS 6 due to an upstream patch the explicitly disabled TLSv1.2 in the default list of supported versions. As I recall, this was done to maintain support for servers that could not work when the negotiation of SSL/TLS was longer than X bytes. Unfortunately, I can’t find the bug I referenced at the time.

    If it’s like Curl, you might be able to explicitly enable TLSv1.2 on the command line, else I suspect you could recompile the source RPM, removing patches if required.

  • Hello Johnny,

    Thanks for your answer. On my system, I’m up-to-date for lftp version. It’s also the same for gnutls.

    However, I feel about confused : You mentioned that lftp has been built with nss. But for me, lftp uses GNUTLS for crypto operation and not NSS.

    Did I miss something ?

    Regards, Olivier

  • Hello Tom,

    It’s indeed an interesting way. I didn’t think about something just disabled. I
    browsed, gnutls rpm changelog and I saw this :

    * Thu May 3 2012 Tomas Mraz 2.8.5-7
    – more TLS-1.2 compatibility fixes (TLS-1.2 stays disabled by default)

    So TLS 1.2 seems there but disabled by default : So maybe lftp can’t use it because it can’t force it.

    I tried browsing the code and RPM patches but I was unable to find where this disable thing is.

    Does anybody have an idea ?

    Regards, Olivier

  • –jkfe6qLqNBrpA5QtkHVJH8jFxgkatAJJA
    Content-Type: text/plain; charset=windows-1252
    Content-Transfer-Encoding: quoted-printable

    I just listed the nss in the build root at the time of the build. It is built against gnutls-devel and that version was :

    gnutls-devel x86_64 2.8.5-19.el6_7

    –jkfe6qLqNBrpA5QtkHVJH8jFxgkatAJJA

  • Hello guy,

    I think i found something. If we look into the upstream source provided in the GNUTLS SRPM, we have on the file lib/gnutls_priority.c:

    static const int protocol_priority[] = {
    /* GNUTLS_TLS1_2, — not finalized yet! */
    GNUTLS_TLS1_1,
    GNUTLS_TLS1_0,
    GNUTLS_SSL3,
    0
    };

    So I guess that if even if TLS1.2 is implemented in the CentOS version, the default priority doesn’t allow to use TLS1.2.

    And I think that lftp doesn’t allow to force this priority, that’s why I can’t use TLS1.2 and only at least TLS1.1.

    So the question is: Is that behaviour can be considered as an lftp bug or not ?

    Regards, Olivier

  • Hello again,

    Just answering to myself and the list for a conclusion. lftp in CentOS uses the default priority provided by gnutls and it’s not possible to override it in lftp
    4.0.9 provided in CentOS 6.

    Howerver, the ssl:priority feature has been implemented in lftp 4.6.2
    (https://github.com/lavv17/lftp/commit/b406805d2b3d4c9a88e24363980e5717e61d0948)
    and there is also a backport RHEL/CentOS for CentOS 7
    (https://git.CentOS.org/blob/rpms!lftp/373a02466b773fe2dbbfde702aec1848e006ba70/SOURCES!lftp-4.4.8-ssl-tls-restrict.patch)

    I think it could be nice if that feature could be backported into the CentOS 6
    lftp version.

    Regards, Olivier

  • –QumLKXdkCWD3nq1WrvOa0XLhVU2w2uX05
    Content-Type: text/plain; charset=windows-1252
    Content-Transfer-Encoding: quoted-printable

    CentOS rebuilds the source code from RHEL-6. If anything is going to be backported, it would need to be backported into RHEL-6 and released, and we would then get it into CentOS-6.

    –QumLKXdkCWD3nq1WrvOa0XLhVU2w2uX05