TLS 1.2 support?

[defwheezer]

I have previously had no problems with NppFTP connecting, but now the web host has changed to TLS 1.2 and it no longer connects to the server.

• Connecting
• -> Quit
• 220-Welcome to the REDACTED Web Hosting FTP server
• 220-No anonymous logins accepted.
• 220-Local time is now 10:40. Server port: 21.
• 220-This is a private system - No anonymous login
• 220 You will be disconnected after 5 minutes of inactivity.
• -> AUTH TLS
• 234 AUTH TLS OK.
• Unable to connect
• Disconnected

From the hosting site: "Important: As of January 4, 2017 all FTP sessions will require an FTPS connection along with TLS 1.2 protocol support for increased system security."

Does the plugin support TLS 1.2, or is it still only supporting TLS 1.0?

[ashkulz]

Are you using the latest release?

[defwheezer]

Yes, I am using v0.26.7.

[JAN4GER]

the same issue. any idea when will we can use 1.2 TLS?

[chcg]

• The used lib openssl-1.0.2i should support TLS v1.2.
• See https://forum.filezilla-project.org/viewtopic.php?t=23615 and https://en.wikipedia.org/wiki/FTPS#Firewall_incompatibilities, maybe a firewall issue.
• Could a ftpclient e.g. filezilla connect to the server?

[defwheezer]

Filezilla works just fine for me, but not NppFTP.

[chcg]

Maybe also https://www.codeproject.com/Articles/20181/The-Ultimate-TCP-IP-Home-Page#Ultimate_TCP-IP_Features is the problem, as there just TLS 1.0 support is stated, but not sure if this is also valid for nppFTP. Need to dig a little bit deeper in the source code.

[chcg]

See https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_new.html currently just TLSv1_client_method() is supported by

https://github.com/ashkulz/NppFTP/blob/master/UTCP/src/ut_clnt.cpp#L641

TLSv1_1_client_method() and TLSv1_2_client_method() are missing. And also the corresponding code for TLS protocoll version fallback from 1.2 -> 1.1 -> 1.0.

Testserver for FTP, FTPS, FTPES and SFTP is available, see http://test.rebex.net/

[ashkulz]

What is the configuration for the server? FTPS mode would use fallback as it uses SSLv23_client_method which is recommended by OpenSSL.

[chcg]

Sorry, the commet was too short. The connection to the mentioned test server with nppFTP is fine with FTPS amd FTPES, so that particular server seem to require just TLS 1.0. Currently I have no testserver to test against that just accepts TLS 1.2.

The analysis was just based on code reading. From openssl

SSLv23_method(), SSLv23_server_method(), SSLv23_client_method()

These are the general-purpose version-flexible SSL/TLS methods. The actual protocol version used will be negotiated to the highest version mutually supported by the client and the server. The supported protocols are SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2. Most applications should use these method, and avoid the version specific methods described below.

, but there is a code path at

https://github.com/ashkulz/NppFTP/blob/master/UTCP/src/ftp_c.cpp#L3270

leading to

https://github.com/ashkulz/NppFTP/blob/master/UTCP/src/ftp_c.cpp#L3300

which seems to use just the TLSv1_client_method() call.

And that "AUTH TLS" from that code position is visible in the trace above.

[JAN4GER]

Any progress?

I've just updated to 0.26.8
Nothing changed, still cannot connect with TLS1.2 service what yahoo provides actually.

Filezilla connected as well.
NppFtp connects to others ftp services as well.

[chcg]

@JAN4GER @defwheezer
I did the replacement of TLS with SSLv23 to get the fallback starting from TLS v1.2. There is a, build from my test branch at https://ci.appveyor.com/project/chcg/nppftp/build/0.26.8.129/job/21o1gg1cmd8evfft/artifacts for win32. Could you please check if that version is working for you.

[defwheezer]

Yes, that new NNPftp.dll works for me (win7), I am able to connect again to the yahoo hosting ftp server!  Awesome- thanks!! -cb

[ashkulz]

@chcg: I'd recommend that you create a PR directly in this repository itself, so that a DLL will be built which can be tested by the reporter directly and verified before merging -- AppVeyor is now enabled on this repository.

@defwheezer @JAN4GER: we'll hopefully release 0.26.9 with these changes very soon 👍

[JAN4GER]

Thanks @defwheezer @chcg ! It works smoothly! Again!

[chcg]

@JAN4GER @defwheezer

just release fix for TLS v1.2 support as version https://github.com/ashkulz/NppFTP/releases/tag/v0.26.9. It is available also from PluginManager with Setting -> use development plugin list and in ~2 weeks on the normal list.