Press "Enter" to skip to content

Enable TLS 1.2 on G6 FTP Server

With many security issues with TLS 1.0 and using SSL Encrypted FTP services, it is time to move on the TLS 1.2 which is an updated version of the SSL layer with better encryption and security.

Some of the FTP sites which I had have implemented TLS 1.2 on various linux systems, however I really needed to implement this on my G6 FTP which i still like to use and have found it a top performance FTP server on windows systems. So to do this we do the following:

Drop in OpenSSL >=1.0 (libeay32.dll, ssleay32.dll, libssl32.dll) as a replacement in your G6 installation directory, and add the following line to your settings.ini files for SSL-enabled FTP domains, you can find the files in the Accountsyourdomainname subfolders of your G6 FTP installation (scroll across for the full line to copy):

SSLCipherList=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA

I have included Open SSL Files for your convenience to download here and copy to the G6 install directory:
Open_SSL_Files_1.0.1e.zip

29 Comments

  1. Ron
    Ron August 24, 2017

    I know this is an old post (and old software); however, I appreciate your efforts to create it. When you have time, I would like to see if you could update it based on the latest OpenSSL files and cipher string.
    Thanks again,
    Ron

    • qwertyweb
      qwertyweb March 12, 2024

      hi, is there any dll’s for TLS 1.3 ?

  2. alcatron
    alcatron September 4, 2017

    Hi Ron,

    You can get updated SSL Files from here https://indy.fulgan.com/SSL/

    What kind of cipher are you needing?

    The above setting when i set it shows in my FTP client as:

    Encryption algorithm: TLSv1.2 AES256-GCM-SHA384-256

    Which is fine..

    I still havent found a FTP server as good as G6 FTP server, in simplicity and performance, I always wonder why the creator dissapeared.

  3. Mike
    Mike February 1, 2018

    I’m running Gene6 v3.10.0.2

    libeay32.dll
    libssl32.dll
    ssleay32.dll ( mine didn’t have is file )

    I updated the settings.ini here D:\Program Files\Gene6 FTP Server\Different_Accounts\localdomain

    During Service Startup it failed with this:

    From Eventvwr
    Faulting application G6FTPSERVER.EXE, version 3.10.0.2, faulting module unknown, version 0.0.0.0, fault address 0x010d0000.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Any Help would be appreciated.

  4. Mike
    Mike March 13, 2018

    awesome , thank you alcatron….that workaround worked to get the service started.

  5. Piotr
    Piotr March 16, 2018

    alcatron: how does your server score at https://www.ssllabs.com ?
    Mine is only B due to using “TLS_RSA_WITH_AES_128_GCM_SHA256” without forward secrecy.
    I had exactly same settings as in post above, started even reducing list of cipher suites but with no success.

  6. alcatron
    alcatron March 16, 2018

    hi Piotr, how are you doing this test? According to that site i can only test really websites with SSL and not FTP servers.

    When you connect to a G6 FTP server with your FTP client you will see this, and you can see its using TLS v1.2

    AUTH command ok; starting SSL connection.
    TLSv1.2 negotiation successful…
    TLSv1.2 encrypted session using cipher AES256-GCM-SHA384 (256 bits)

    Data connection accepted from x.x.x.x:49166; transfer starting.
    TLSv1.2 negotiation successful…
    TLSv1.2 encrypted session using cipher AES256-GCM-SHA384 (256 bits)

  7. Piotr
    Piotr March 16, 2018

    Duh, sorry, forgot to mention that you need a domain bound to port 443 in order for this test to work. When I’m connecting to my server with Filezilla it shows: TLS 1.2 AES-128-GCM, similar as I posted before: TLS_RSA_WITH_AES_128_GCM_SHA256
    Recommended set by SSLLabs is: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  8. alcatron
    alcatron March 16, 2018

    In the FTP client are you able to choose a connect mode AUTH SSL or AUTH TLS for a site? Did you try both modes and see if that makes a difference?

  9. Piotr
    Piotr March 17, 2018

    You can perform tests with openssl.exe tool delivered with OpenSSL libraries, something like: openssl.exe s_client -connect your.server.address:990 -tls1_2
    (can also use -tls1_1, -tls1, -ssl3 etc, but my server needs to use only TLS1.2)
    For my server I get:
    ……
    New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : AES128-GCM-SHA256
    ……..
    while for a built in Windows IIS FTP server with SSLLabs A grade it is:
    ……..
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES256-GCM-SHA384
    ……..

    If I leave only: SSLCipherList=TLS-ECDHE-RSA-AES256-GCM-SHA384 I cannot connect to my server receiving handshake error 40. I don’t know if this is limitation of Gene6 or some problem with SSL libraries (got pretty new ones) or Windows…

    • Ricky
      Ricky March 10, 2022

      Did you resolve issue with ECDHE ciphers?
      After investigation I think it is limitation of Gene6. ECDHE key exchange is supported in 1.0.2 OpenSSL lib… Any ideas about it?

  10. Mike
    Mike March 20, 2018

    Alcatron,

    After I successfully upgraded my Gene6, I could only CURL using TLS 1.2. All the other version failed for me using TLS 1.1 TLS 1.0 and SSLv3.

    curl –tlsv1.1 -T D:\ ftps://:@/outbox/ -k -v

    Error:

    * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
    * TLSv1.1 (OUT), TLS header, Certificate Status (22):
    } [5 bytes data]
    * TLSv1.1 (OUT), TLS handshake, Client hello (1):
    } [214 bytes data]
    * TLSv1.1 (IN), TLS header, Unknown (21):
    { [5 bytes data]
    * TLSv1.1 (IN), TLS alert, Server hello (2):
    { [2 bytes data]
    * error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
    0 0 0 0 0 0 0 0 –:–:– –:–:– –:–:– 0
    * Closing connection 0
    curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

  11. alcatron
    alcatron March 21, 2018

    TLS 1.2 is the industry standard, so dont worry about the others, as long as we have v1.2 working we are good.

  12. Mike
    Mike March 27, 2018

    Thx Alcatron,

    I was able to test using WinSCP with different flavor of TLS. BTW, I heard TLS 1.3 just got adopted hopefully we will have a libary update for Gene6 to keep it going.

  13. JGD
    JGD February 18, 2020

    Hello,

    it’s OK with “Open_SSL_Files_1.0.1e.zip”.

    How to use the latest version of SSL libraries?

    If I download the latest version from https://indy.fulgan.com/SSL, I don’t have “libssl32.dll”.
    If I just replace “libeay32.dll”, it doesn’t work anymore. The Gene6 interface tells me that it cannot load the SSL libraries.

    Thank you in advance 🙂

  14. alcatron
    alcatron February 22, 2020

    Hi JGD,

    I had the same problem when I replicated your issue

    If you use this site and install https://slproweb.com/download/Win32OpenSSL-1_0_2u.exe (this is the latest)

    Install with option putting the ssl library files in /bin not in C windows.

    Once installed copy the 3 x dll files to the G6 FTP directory from bin
    libssl32.dll, libeay32.dll, ssleay32.dll

    I got it working and it opened 🙂

    • Matt
      Matt February 28, 2020

      hi mate

      can you please upload those 3 dll to somewhere??

      thank you!!

      • alcatron
        alcatron February 29, 2020

        have you read what I posted above?

    • EIKA
      EIKA October 16, 2021

      Shall I install Win32OpenSSL as well if I run Windows Server x64 bit?

  15. Mega
    Mega March 7, 2020

    Hi,

    I know it might be offtopic, but in my search for help I stumbled across this thread.

    I suddedly got the error mentioned here when clients connect to a g6 ftp server.
    https://forum.filezilla-project.org/viewtopic.php?f=1&p=172705
    It seems certificates created within the admin module are not properly signed.
    I have tried my best to create this key and certificate using tools outside of the g6 ftp server, but when i put them in the G6 ftp server folder and select them for the domains I am no longer able to connect to the server.
    Has anyone tried to create certificates for the server without using the buildin tool?

    /Mega

  16. MG
    MG March 24, 2020

    I tested your solution, and i it’s works well except since my users started to use Filezilla 4.46.x & +.
    Filezilla says ‘A certificate in the chain was signed using an insecure algorithm, Received certificate chain could not be verified.’ .
    Did you find a solution ?

  17. MG
    MG March 24, 2020

    I tested your solution, and it’s works well, except since users stared to use FileZilla 3.46.x & +.
    Did you have the same problem?

  18. MG
    MG March 25, 2020

    I solve my problem with Filezilla 4.46.x+ : i recreate a certificate not with Gene6 FTP (RSA-1024 / RSA-MD5), but with OpenSSL (RSA-2048 / RSA-SHA256).

    set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg
    cd /d C:\OpenSSL-Win32\bin\
    openssl.exe req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout “c:\program files (x86)\Gene6 FTP Server\Certificates\New autocert.key” -out “c:\program files (x86)\Gene6 FTP Server\Certificates\New autocert.crt”

    • Jonathan
      Jonathan April 6, 2020

      thanks you very much for your workaround !

  19. EIKA
    EIKA March 31, 2021

    Hi all!

    Could you please help me? I am using G6 under x64 server OS. But x64 OpenSSL archives you specified (like openssl-1.0.2u-x64_86-win64) doesn’t offer any bin folder as well as openssl.cfg. Also, they call it not CFG, but CNF.

    With no config file, OpenSSL doesn’t work.

    Where I can get config file for OpenSSL x64?

  20. alcatron
    alcatron September 12, 2021

    G6 FTP server is no longer supported by the developer, people should move away from it, as no patches have been provided for a few years or updates, and is a security risk if you run it exposed externally.

  21. EIKA
    EIKA October 15, 2021

    Hi all!

    Anyone was able to use TLS in FileZilla 3.56? After upgrade, Explicit TLS stopped working for me and clients.

    From 3.56 changelog: “By default, the minimum allowed TLS version is now TLS 1.2”

    From FileZilla connection log:

    Status: Initializing TLS…
    Error: GnuTLS error -15: An unexpected TLS packet was received.
    Status: Connection attempt failed with “ECONNABORTED – Connection aborted”.

  22. Sniper
    Sniper May 20, 2024

    Finally i’ve could setting up Gene6 with ftps
    1. extract Open_SSL_Files_1.0.1e.zip into Gene6ftp server folder
    2. edit my settings.ini file by adding provided SSLCipherList
    3. create new cert with openssl utility (because cert, created with gene6 has weak encription 1024bit and cause errors in some ftp clients):
    – install Win32OpenSSL_Light-3_3_0.exe from https://slproweb.com/products/Win32OpenSSL.html
    – create empty openssl.cfg in OpenSSL’s bin directory
    – create new cert with command, posted above –
    set OPENSSL_CONF=c:\Program Files (x86)\OpenSSL-Win32\bin\openssl.cfg
    openssl.exe req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout “c:\program files (x86)\Gene6 FTP Server\Certificates\New autocert.key” -out “c:\program files (x86)\Gene6 FTP Server\Certificates\New autocert.crt”
    4. enable explicit and implicit mode (21 and 990 ports)
    5. start g6 server
    profit

    thanks to all for your advices!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.