Go Back   FlashFXP Forums > > > >

ioFTPD General New releases, comments, questions regarding the latest version of ioFTPD.

Reply
 
Thread Tools Rate Thread Display Modes
Old 08-17-2011, 06:53 AM   #1
Stelth
Junior Member
FlashFXP Registered User
ioFTPD Foundation User
 
Join Date: Jun 2002
Posts: 4
Default TLS Settings

Hi all

How do i ensure that ONLY TLSv1 is used to logon io.
What settings do i modify? in .ini
Stelth is offline   Reply With Quote
Old 08-17-2011, 11:36 AM   #2
ArtX
Senior Member
FlashFXP Beta Tester
ioFTPD Foundation User
 
Join Date: Jan 2004
Posts: 301
Default

I'm guessing, change

;Encryption_Protocol = SSL3

to

Encryption_Protocol = TLS
ArtX is offline   Reply With Quote
Old 08-17-2011, 12:50 PM   #3
Yil
Too much time...
FlashFXP Beta Tester
ioFTPD Administrator
 
Join Date: May 2005
Posts: 1,194
Default

I'm curious why you would want to limit it to TLS only? As far as I can tell the TLS, SSL3, and SSL2 just define a way to negotiate with the client so they can agree on an encryption protocol to use and some options to enable (see 'OpenSSL_Options'). There are a number of other more subtle differences but I think the REAL question is which encryption protocols you want to support! That is controlled by 'OpenSSL_Ciphers = DEFAULT:!LOW:!EXPORT' which I have set up to ban the lamest ciphers by default...

Fair warning, if you limit OpenSSL to TLS you also limit FXP connections to other servers to TLS only. Sometimes that is OK and other times it might not be, don't be surprised if FXP transfers have issues.

In the future maybe I'll add support for FXP only settings, but right now the control connection and data transfer share the same context because of host fingerprinting, tickets, etc.
Yil is offline   Reply With Quote
Old 08-24-2011, 03:17 AM   #4
Stelth
Junior Member
FlashFXP Registered User
ioFTPD Foundation User
 
Join Date: Jun 2002
Posts: 4
Default

My motivation was to only allow the BEST/Strongest encryption for my io, and as far i could read up was TLS, but as you said there was a few issus with clients other than FlashFXP
Stelth is offline   Reply With Quote
Old 08-25-2011, 10:32 AM   #5
o_dog
Senior Member
 
Join Date: May 2007
Posts: 692
Default

YiL: Would speed improve if one implemented AES-NI support in openssl for intel i5/i7 cpus?
__________________
ioNiNJA
o_dog is offline   Reply With Quote
Old 08-25-2011, 04:21 PM   #6
Yil
Too much time...
FlashFXP Beta Tester
ioFTPD Administrator
 
Join Date: May 2005
Posts: 1,194
Default

Speeds would absolutely go up and CPU usage down if encryption used AES-NI. I don't think OpenSSL 1.0.0.x, which is what is currently available, supports it without applying a patch or using the development branch. If you look at OpenSSl-Changelog you can see what I believe is support in v1.0.1 but it doesn't have a release date by it. Hopefully it will just test the hardware and enable itself automatically else I'll have to add a line or something because we don't use the generic OpenSSL configuration file.

If there's a patch that auto-enables it you can replace the OpenSSL libs since I don't modify them in any way so you can try builds from anyone. Currently ioFTPD and OpenSSL are built for all machines and OpenSSL uses the optional assembly language build for extra speed.

As I mentioned in a post somewhere here I've got a list of performance changes / notes to apply someday. However one of them I haven't done because it's been simpler not to, but if performance is an issue on a gbit LAN or something maybe we'll have to try it. ioFTPD is currently built with VS2008 with a target of all machines. I think faster performance can be gotten if I let the compiler use SSE/SSE2 and release that as a separate build because older machines wouldn't be able to run that. Perhaps I could add some sort of trivial check and output an error if users had the wrong version or something. I could even consider trying the Intel compiler and letting it do even more crazy stuff for newer machines which would probably speed things up.

The reason I mention that build stuff is because you may be able to find an Intel compiler generated core i3+ build using SSE4 instructions out there somewhere and if that would work you can replace the 2 OpenSSL libs and see what happens.

On a slightly different note, I could also play with the TCP window size. I think we're using 64K (the historical max) but now windows supports much larger advertised sizes. However ioFTPD doesn't seem to have any trouble on 100Mbit networks so it's been good enough for me
Yil is offline   Reply With Quote
Old 08-25-2011, 04:36 PM   #7
o_dog
Senior Member
 
Join Date: May 2007
Posts: 692
Default

think there are patches out there that enables AES-NI if it's supported otherwise it just skips it, not sure though. As for SSE2 I think you should just enable it. Think support was enabled in athalon XP and pentium4/celeron. If people are using P3 it's time to upgrade =)

Wish intel would add AES-NI to their atom lineup but don't think thats gonna happen. It would make it perfect for server usage.
__________________
ioNiNJA

Last edited by o_dog; 08-25-2011 at 04:42 PM.
o_dog is offline   Reply With Quote
Old 08-25-2011, 08:48 PM   #8
Yil
Too much time...
FlashFXP Beta Tester
ioFTPD Administrator
 
Join Date: May 2005
Posts: 1,194
Default

The patch I saw that supported it required defining something in the openssl config file to actually enable it and we don't use a config file so not sure what that means for us. Probably just a 1 line change, but I'm hoping 1.0.1 comes out before I have to worry about it

Forget the atom, you have to be careful even with the i5's! The entry level mobile core i5 used in most i5 laptops doesn't support AES-NI. What the heck...
Yil is offline   Reply With Quote
Old 08-26-2011, 03:45 AM   #9
o_dog
Senior Member
 
Join Date: May 2007
Posts: 692
Default

i know, but it's retarded. AES-NI with low would be great for alot of things. Most cpu chipsets should support it today i5+.

Gooa look into Via padlock.
__________________
ioNiNJA
o_dog is offline   Reply With Quote
Reply

Tags
.ini, ensure, logon, modify, settings

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 08:29 AM.

Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)