View Single Post
Old 12-29-2018, 04:04 AM  
Prodigy
Member
 
Join Date: Jul 2009
Posts: 53
Lightbulb ioFTPD v7.7.7 : First in the world ftp server with TLS 1.3 support

I am proud to announced possibly the First ever in the world FTPD/FTP Server with TLS 1.3 support .

Currently the only usable FTP client in which supporting TLS 1.3 is good old curl!

7.7.7.9999 Changelog :
  • Upgraded into TCL 8.5.19
  • Upgraded into OpenSSL 1.1.1a for TLS 1.3 supports
  • Upgraded compiler into VS 2013 for possible fixes and enhancement
  • Disabled SSLv2

7.7.7.10000 Changelog :
  • Fixed Encryption_Protocol implementation

7.7.7.10001 Changelog :
  • More Fixed Encryption_Protocol implementation when enabling SSL3 cannot having workable TLS auth

7.7.7.10002 Changelog :
  • Stricter Encryption_Protocol to only allowing "SSL3, TLS1.0, TLS1.1, TLS1.2, TLS1.3" option

7.7.7.10003 Changelog :
  • SSLv3 is already been depreciated in OpenSSL 1.1.1, any AUTH SSL attempt will automatically redirect into TLS 1.2

7.7.7.10004 Changelog :
  • Fixed TLS 1.3 doesn't work from the beginning, now tested. Certificate files generation now will take until the Debug.log file reaching around 950 KB
  • If you changing the "OpenSSL_Ciphers" variable, you need to re-generate the certificate files by stopping ioFTPD, delete the ioFTPD.dhp, ioFTPD.key, ioFTPD.pem from the system folder, and re-run ioFTPD also watch the system\debug.log file until it stopped increasing in it's size
  • The longer "OpenSSL_Ciphers" variable, the longer automatic certificate files generation will take.
  • 7.7.7.10004-1 = Fine Tuned ioFTPD.ini for TLS 1.3

7.7.7.10005 Changelog :
  • Added more logic check for "Encryption_Protocol" option.
  • Prevent crashes when unknown "Encryption_Protocol" option being set.
  • Make TLS 1.2 as default protocol to avoid confusion

7.7.7.10006 Changelog :
  • Added more all of the OpenSSL 1.1.1a OpenSSL_Options variables
  • NO_SSLv2 and other OpenSSL_Options variables is depreciated on OpenSSL 1.1.1a, so i have removed it.
  • 7.7.7.10006-1 Added more proper OpenSSL_Ciphers variable for the TLS 1.3 only connection.
  • 7.7.7.10006-1 Redirecting some log messages into Debug.log, instead of Error.log


To test TLS 1.3 server functionality download latest curl from here.
Enable the TLS 1.3 in the ioFTPD.ini :
Code:
Encryption_Protocol     = TLS1.3
OpenSSL_Ciphers = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
Above option is to only allow explicitly TLS 1.3.

In the curl bin directory or anywhere if you have added curl bin directory in the windows env path type the following :
Code:
curl -v --ciphers TLS_CHACHA20_POLY1305_SHA256 ftp://127.0.0.1:5420/test.log -k --user ioFTPD:ioFTPD --ssl-reqd
Code:
The "--user ioFTPD:ioFTPD" part is the default ioFTPD username:password!, change it if you have custom setup.
To upload a file into ioFTPD root folder :
Code:
curl -v --ciphers TLS_CHACHA20_POLY1305_SHA256 ftp://127.0.0.1:5420/ -k --user ioFTPD:ioFTPD --ssl-reqd -T X:\Folder\filename.extension
The ioFTPD dubbed version 7.7.7.10006-1 with TLS 1.3 supports!, don't forget thanks to UltraFine for countless time testing my build, great job bro!
Code:
https://mega.nz/#!AJknjSwR!Id4TO4Xi5kqqCZvaIX0fyF3d-lFUrJRwRrbPZho6apo
Now who will be the first FTP Client which support it . Let's hope my implementation is the correct one!

Note :
We need new certificate files for this one, so please delete your ioFTPD.dhp, ioFTPD.key, ioFTPD.pem from your system folder!, after that when you are launching the ioFTPD, monitor the "C:\ioFTPD\logs\Debug.log", wait it until reaching around 950 KB or when it stop increasing in it's size, then you can start using client to connect into ioFTPD server

About the usage of "Encryption_Protocol", the one that you have set in this option variable is the minimum supported protocol, so if you set "SSL3" means that it will support by minimum SSLv3 up until TLS 1.3.
The TLS 1.3 is highest secure protocol currently supported.


Possible OpenSSL_Options variables:
Code:
NO_ANTI_REPLAY
ENABLE_MIDDLEBOX_COMPAT
PRIORITIZE_CHACHA
ALLOW_NO_DHE_KEX
NO_RENEGOTIATION
NO_ENCRYPT_THEN_MAC
SAFARI_ECDHE_ECDSA_BUG
TLSEXT_PADDING
LEGACY_SERVER_CONNECT
DONT_INSERT_EMPTY_FRAGMENTS
ALL
NO_QUERY_MTU
COOKIE_EXCHANGE
NO_TICKET
CISCO_ANYCONNECT
NO_SESSION_RESUMPTION_ON_RENEGOTIATION
NO_COMPRESSION
ALLOW_UNSAFE_LEGACY_RENEGOTIATION
CIPHER_SERVER_PREFERENCE
TLS_ROLLBACK_BUG
NO_SSLv3
NO_TLSv1
NO_TLSv1_1
NO_TLSv1_2
NO_TLSv1_3
CRYPTOPRO_TLSEXT_BUG
More info :
Code:
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html
Please set the "OpenSSL_Options" without any spaces in between the variables, for example :
Code:
OpenSSL_Options = PRIORITIZE_CHACHA|NO_SSLv3

Last edited by Prodigy; 01-04-2019 at 01:51 PM.
Prodigy is offline   Reply With Quote