PDA

View Full Version : ioFTPD v7.7.7 : First in the world with TLS 1.3 supports?


Prodigy
12-29-2018, 04:04 AM
I am proud to announced possibly the First ever in the world FTPD/FTP Server with TLS 1.3 support :D.

Currently the only usable FTP client in which supporting TLS 1.3 is good old curl!

7.7.7.9999 Changelog :

Upgraded into TCL 8.5.19
Upgraded into OpenSSL 1.1.1a for TLS 1.3 supports
Upgraded compiler into VS 2013 for possible fixes and enhancement
Disabled SSLv2


7.7.7.10000 Changelog :

Fixed Encryption_Protocol implementation


7.7.7.10001 Changelog :

More Fixed Encryption_Protocol implementation when enabling SSL3 cannot having workable TLS auth


7.7.7.10002 Changelog :

Stricter Encryption_Protocol to only allowing "SSL3, TLS1.0, TLS1.1, TLS1.2, TLS1.3" option


7.7.7.10003 Changelog :

SSLv3 is already been depreciated in OpenSSL 1.1.1, any AUTH SSL attempt will automatically redirect into TLS 1.2


7.7.7.10004 Changelog :

Fixed TLS 1.3 doesn't work from the beginning, now tested. Certificate files generation now will take until the Debug.log file reaching around 950 KB
If you changing the "OpenSSL_Ciphers" variable, you need to re-generate the certificate files by stopping ioFTPD, delete the ioFTPD.dhp, ioFTPD.key, ioFTPD.pem from the system folder, and re-run ioFTPD also watch the system\debug.log file until it stopped increasing in it's size
The longer "OpenSSL_Ciphers" variable, the longer automatic certificate files generation will take.
7.7.7.10004-1 = Fine Tuned ioFTPD.ini for TLS 1.3


7.7.7.10005 Changelog :

Added more logic check for "Encryption_Protocol" option.
Prevent crashes when unknown "Encryption_Protocol" option being set.
Make TLS 1.2 as default protocol to avoid confusion


7.7.7.10006 Changelog :

Added more all of the OpenSSL 1.1.1a OpenSSL_Options variables
NO_SSLv2 and other OpenSSL_Options variables is depreciated on OpenSSL 1.1.1a, so i have removed it.
7.7.7.10006-1 Added more proper OpenSSL_Ciphers variable for the TLS 1.3 only connection.
7.7.7.10006-1 Redirecting some log messages into Debug.log, instead of Error.log



To test TLS 1.3 server functionality download latest curl from here (https://curl.haxx.se/windows/).
Enable the TLS 1.3 in the ioFTPD.ini :

Encryption_Protocol = TLS1.3
OpenSSL_Ciphers = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA25 6:TLS_AES_128_GCM_SHA256


Above option is to only allow explicitly TLS 1.3.

In the curl bin directory or anywhere if you have added curl bin directory in the windows env path type the following :

curl -v --ciphers TLS_CHACHA20_POLY1305_SHA256 ftp://127.0.0.1:5420/test.log -k --user ioFTPD:ioFTPD --ssl-reqd



The "--user ioFTPD:ioFTPD" part is the default ioFTPD username:password!, change it if you have custom setup.


To upload a file into ioFTPD root folder :

curl -v --ciphers TLS_CHACHA20_POLY1305_SHA256 ftp://127.0.0.1:5420/ -k --user ioFTPD:ioFTPD --ssl-reqd -T X:\Folder\filename.extension


The ioFTPD dubbed version 7.7.7.10006-1 with TLS 1.3 supports!, don't forget thanks to UltraFine for countless time testing my build, great job bro!

https://mega.nz/#!AJknjSwR!Id4TO4Xi5kqqCZvaIX0fyF3d-lFUrJRwRrbPZho6apo

Now who will be the first FTP Client which support it :question:. Let's hope my implementation is the correct one!

Note :
We need new certificate files for this one, so please delete your ioFTPD.dhp, ioFTPD.key, ioFTPD.pem from your system folder!, after that when you are launching the ioFTPD, monitor the "C:\ioFTPD\logs\Debug.log", wait it until reaching around 950 KB or when it stop increasing in it's size, then you can start using client to connect into ioFTPD server

About the usage of "Encryption_Protocol", the one that you have set in this option variable is the minimum supported protocol, so if you set "SSL3" means that it will support by minimum SSLv3 up until TLS 1.3.
The TLS 1.3 is highest secure protocol currently supported.


Possible OpenSSL_Options variables:

NO_ANTI_REPLAY
ENABLE_MIDDLEBOX_COMPAT
PRIORITIZE_CHACHA
ALLOW_NO_DHE_KEX
NO_RENEGOTIATION
NO_ENCRYPT_THEN_MAC
SAFARI_ECDHE_ECDSA_BUG
TLSEXT_PADDING
LEGACY_SERVER_CONNECT
DONT_INSERT_EMPTY_FRAGMENTS
ALL
NO_QUERY_MTU
COOKIE_EXCHANGE
NO_TICKET
CISCO_ANYCONNECT
NO_SESSION_RESUMPTION_ON_RENEGOTIATION
NO_COMPRESSION
ALLOW_UNSAFE_LEGACY_RENEGOTIATION
CIPHER_SERVER_PREFERENCE
TLS_ROLLBACK_BUG
NO_SSLv3
NO_TLSv1
NO_TLSv1_1
NO_TLSv1_2
NO_TLSv1_3
CRYPTOPRO_TLSEXT_BUG


More info :

https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html


Please set the "OpenSSL_Options" without any spaces in between the variables, for example :

OpenSSL_Options = PRIORITIZE_CHACHA|NO_SSLv3

UltraFine
12-29-2018, 05:41 AM
Oh great. A ftp server with TLS1.3 support. Nice. I will try it. But I did not understand, why I must wait till the Debug.log grows to 363KB. What is this about?

Prodigy
12-29-2018, 05:44 AM
@UltraFine
It's only for the auto certificates generation things. It's only happened when ioFTPD is detecting there are no certificate files, so only for the first time.

Prodigy
12-29-2018, 02:42 PM
Added new hotfix 7.7.7.10000

Prodigy
12-29-2018, 06:00 PM
Added new hotfix 7.7.7.10001

Prodigy
12-31-2018, 02:08 AM
Added new hotfix 7.7.7.10002

Prodigy
12-31-2018, 06:08 AM
Added new hotfix 7.7.7.10003

Prodigy
12-31-2018, 04:18 PM
Added new hotfix 7.7.7.10004

UltraFine
01-03-2019, 04:05 AM
Hey Prodigy,

I tested ioFTPD-v7.7.7.10004-1 .rar on my Win10 machine.

I kept my old ioftpd.ini though with the following setting. All other files I overwrote with new oney from the RAR file. I deleted the PEM, KEY and DHP files before starting it, because I wanted io to generate new keys. IO starts but crashes immediatly after. My guess is, that it has a problem with the "NO_SSLv2" setting. In general I think, even if the setting is wrongly set, ioftpd should quit with a proper message in the log, but not crash.


CRASH-Log.txt
ID: 6300 [01d80000-01d7e0b0]
# 1: 77BCB78C -> [ntdll + 6A78C] ? NtGetContextThread() + 0xC
Wed Jan 02 23:40:10 2019 - ioFTPD v7.7.7
Unhandled exception: Access Violation (0xC0000005)
Address: 0x57E6E321 [attempting to read data from 0x00000061]
PID=3976, PATH=C:\ioFTPD\system\ioFTPD.exe
Thread ID: 15664

ioftpd.ini
;Certificate_Name = ioFTPD
Create_Certificate = True
Explicit_Encryption = True
Encryption_Protocol = NO_SSLv2 | NO_SSLv3 | TLS1.2
OpenSSL_Options = ALL
OpenSSL_Ciphers = DEFAULT:!LOW:!EXPORT
Min_Cipher_Strength = 128
Max_Cipher_Strength = 256
Get_External_Ident = True

error.log
01-02-2019 23:39:07 tszEncryptionProtocol : 'NO_SSLv2 | NO_SSLv3 | TLS1.2'.

One more thing: in the ioFTPD-v7.7.7.10004-1 .rar in the ioftpd.ini file the setting is set to
Encryption_Protocol = TLS1.3
This means the MINIMUM requirement for connecting to io is TLS1.3. I think this will create alot of confusion in people trying to setup ioftpd the first time because there is basically no ftp client (besides curl) at the moment that can handle TLS1.2. In my opinion the default setting for now has to be:
Encryption_Protocol = TLS1.2


UltraFine

Prodigy
01-03-2019, 06:08 AM
@UltraFine
I think there is a confustion about NO_SSLv2 and others setting which should be belong into "OpenSSL_Options"

From the ioFTPD.ini

If you do modify this you should also consider passing the
# appropriate NO_SSLv2, NO_SSLv3, and/or NO_TLSv1 options to the library
# via the OpenSSL_Options feature below.

Added some logic check to accommodate unknown "Encryption_Protocol", instead of crashing, ioFTPD just put an error log mentioning "Unknown Encryption_Protocol Option" and running without any TLS or SSL until ioFTPD's "Encryption_Protocol" being fixed and ioFTPD also get restarted.

UltraFine
01-03-2019, 07:09 AM
@UltraFine
I think there is a confustion about NO_SSLv2 and others setting which should be belong into "OpenSSL_Options"

From the ioFTPD.ini


Added some logic check to accommodate unknown "Encryption_Protocol", instead of crashing, ioFTPD just put an error log mentioning "Unknown Encryption_Protocol Option" and running without any TLS or SSL until ioFTPD's "Encryption_Protocol" being fixed and ioFTPD also get restarted.

yes. 7.7.7.40005 works with this configuration. It generates a new certificate. The Debug file gets around 90kb in size:

ioftpd.ini
;Certificate_Name = ioFTPD
Create_Certificate = True
Explicit_Encryption = True
Encryption_Protocol = TLS1.2
OpenSSL_Options = NO_SSLv2 | NO_SSLv3
OpenSSL_Ciphers = DEFAULT:!LOW:!EXPORT
Min_Cipher_Strength = 128
Max_Cipher_Strength = 256



Error.log

01-03-2019 12:55:38 tszEncryptionProtocol : 'TLS1.2'.
01-03-2019 12:55:38 Method : TLSv1_2_server_method()
01-03-2019 12:55:38 tszEncryptionProtocol : 'TLS1.2'.
01-03-2019 12:55:38 Method : TLSv1_2_server_method()
01-03-2019 12:56:43 tszEncryptionProtocol : 'TLS1.2'.
01-03-2019 12:56:43 Method : TLSv1_2_server_method()
01-03-2019 12:56:43 Unknown option (NO_SSLv2 ) in OpenSSL_Options for service 'FTP_Service'.
01-03-2019 12:56:43 Unknown option ( NO_SSLv3) in OpenSSL_Options for service 'FTP_Service'.


I have two questions:

1) What are the valid options for "OpenSSL_Options" besides "ALL"?
2) Why does it write "tszEncryptionProtocol : 'TLS1.2'." and "Method : TLSv1_2_server_method()" into the log? Is it an error? Because a write into the error.log indicates an "Error" to me. So if it is not an error, why does this show up in the error.log?

Prodigy
01-03-2019, 08:43 AM
@Ultrafine

Added 7.7.7.10006, have fun.

About the "tszEncryptionProtocol " logs appearing in the Error.log, just lazy attempt from me hehe, will do it soon to put in the right location of log file.

UltraFine
01-03-2019, 12:58 PM
@Ultrafine

Added 7.7.7.10006, have fun.

About the "tszEncryptionProtocol " logs appearing in the Error.log, just lazy attempt from me hehe, will do it soon to put in the right location of log file.

Very nice. I like very much what you added now. The list of options should go into ioftpd.ini so new people know about it.

Prodigy
01-03-2019, 02:19 PM
Thank you, will do later on, a few extra kilobytes in the ioFTPD.ini surely won't hurt much as storage is getting cheaper everyday.

larazaa
01-15-2019, 04:26 PM
nice, thx.

eremini
02-21-2019, 07:30 PM
Hi,

Thank you for the build. But with this build ftprush 1.3 won't connect. Any idea what I can do?

[i] Loading SSL DLL ...
[i] OpenSSL 1.0.2o-fips 27 Mar 2018 (LOCKED)
[1] Connecting to ftp://...:***@...
[1] Connecting to 46.4.97.168:43127
[1] 220 FTP Server ready.
[1] AUTH TLS
[1] 234 AUTH TLS successful.
[1]
[1] Network subsystem is unusable(10091)

In debug.log
OpenSSL error: error:14209102:SSL routines:tls_early_post_process_client_hello:unsup ported protocol

Actually even the ioftpd-start client doesn't connect. But ftprush 2 and flashfxp work

Wildcat01
03-09-2019, 02:13 PM
[1] Network subsystem is unusable(10091)

I've seen this when the openssl files used by that version of ftprush are not up to date. Make sure you have updated your openssl dll files in both the ftprush install directory and in the data folder called out in that version's options menu.

Also, make sure the site that you are connecting to is setup in ftprush as AUTH SSL, not AUTH TLS for your connect. Using AUTH SSL should likely auto switch to TLS as AUTH SSL is degraded but it should hit an older version, not to v1.3, i.e.:
[2] Encryption algorithm: TLSv1.2

I also turned off TSLv1.3 in ioftpd.ini by setting this
Encryption_Protocol = SSL3
as I use ftprush exclusively at the moment.
.
I have no problem with both ftprush v2 and ftprush v1.1.30 and am running ioftpd v7.7.7 and happy with it....
.

angelshadow
08-04-2019, 11:01 PM
Hi, guys. I want to know where can I download latest ioFTPD v7.7.7 which can support TLS 1.3 ? It will be pleasure if you can reply me with a new url because I can not access to "https://mega.nz/#!AJknjSwR!Id4TO4Xi5kqqCZvaIX0fyF3d-lFUrJRwRrbPZho6apo" with my network!

Thank you very much

Prodigy
02-03-2020, 11:59 PM
@angelshadown
Join the ioFTPD discord server, https://discord.gg/j6GGPXg .

sun
01-01-2021, 11:59 AM
huhu

hat jemand download link bitte

UltraFine
02-01-2021, 07:18 AM
The original v7.7.3 sources found here: https://github.com/DigitalTuna/ioFTPD-v7.7.3
Discord community here: https://discord.gg/j6GGPXg
Current Prodigy v7.7.9.5-1 release: https://mega.nz/file/xMVAQTaA#M20m2k...JHOEcSIv3pPMxw

larazaa
02-07-2021, 05:43 PM
Prodigy v7.7.7.10006-1 Release : https://www.sendspace.com/file/3hdxvm

mantonio1965
03-19-2021, 12:36 PM
The original v7.7.3 sources found here: https://github.com/DigitalTuna/ioFTPD-v7.7.3
Discord community here: https://discord.gg/j6GGPXg
Current Prodigy v7.7.9.5-1 release: https://mega.nz/file/xMVAQTaA#M20m2k...JHOEcSIv3pPMxw
Attempt to access the mega account fires a crypto key request prior access. Would you mind fix the link above or provide the necessary information, please? As it seems you copied the URL to this repo as the link contains "..." in its target URL, which is very untypical and a clear hint that an incomplete link has been copied and pasted.

Prodigy
04-06-2021, 02:04 AM
ioFTPD v7.7.9.6


v7.7.9.6 Release Notes:
* Updated into OpenSSL 1.1.1l-dev
* Changed compiler into Microsoft VC 2019 16.9.3
* Fixes crashes when user has no hostname
* Fixes persistent TLS version being applied, now TLS option that has been chosen/setup is being applied properly
* ECDSA related code fixes

v7.7.9 Release Notes:
* Updated into OpenSSL 1.1.1h-dev
* Changed compiler into Microsoft VC 2019 16.7.4
we moved into ECDSA you need to delete & re-generate the ioFTPD.pem, ioFTPD.key, ioFTPD.dhp

How to update :
*Stop the ioFTPD & delete or replace all *.exe & *.dll files inside the (for example c:\ioFTPD).

v7.7.8 Release Notes:
* Updated into OpenSSL 1.1.1g-dev
* Added IP and Hostname into OpenSSL connection related errors log.
* Changed compiler into Microsoft VC 2019 16.5.3
* Changed the default certificate to use ECDSA instead of RSA (Code credit by Wargon @ IRC), since
we moved into ECDSA you need to delete & re-generate the ioFTPD.pem, ioFTPD.key, ioFTPD.dhp




How to update :
*Stop the ioFTPD & delete or replace all *.exe & *.dll files inside the (for example c:\ioFTPD).
*Make comparison of ioFTPD.ini from my build with your current one, make necessary addition or removal of either newly added option or removal of option.


Needed Runtime https://aka.ms/vs/16/release/vc_redist.x86.exe

About release versioning in ioFTPD major.primary.minor.secondary-build-revision (example: 7.7.8.10001-1)

Download :

https://mega.nz/file/JBci0DhT#w4CnmX49m-0mbECFRCBLjNmLsIN3mN40wK2raB99f-E


Warning Notes :

Incompatibility issue with SmartFTP client!, use either FlashFXP patched version with supports for OpenSSL 1.1.1, or FileZilla or FtpRush v2.x


Later will be posted on discord!.