With many security issues with TLS 1.0 and using SSL Encrypted FTP services, it is time to move on the TLS 1.2 which is an updated version of the SSL layer with better encryption and security.
Some of the FTP sites which I had have implemented TLS 1.2 on various linux systems, however I really needed to implement this on my G6 FTP which i still like to use and have found it a top performance FTP server on windows systems. So to do this we do the following:
Drop in OpenSSL >=1.0 (libeay32.dll, ssleay32.dll, libssl32.dll) as a replacement in your G6 installation directory, and add the following line to your settings.ini files for SSL-enabled FTP domains, you can find the files in the Accountsyourdomainname subfolders of your G6 FTP installation (scroll across for the full line to copy):
SSLCipherList=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA
I have included Open SSL Files for your convenience to download here and copy to the G6 install directory:
Open_SSL_Files_1.0.1e.zip
I know this is an old post (and old software); however, I appreciate your efforts to create it. When you have time, I would like to see if you could update it based on the latest OpenSSL files and cipher string.
Thanks again,
Ron
hi, is there any dll’s for TLS 1.3 ?
Hi Ron,
You can get updated SSL Files from here https://indy.fulgan.com/SSL/
What kind of cipher are you needing?
The above setting when i set it shows in my FTP client as:
Encryption algorithm: TLSv1.2 AES256-GCM-SHA384-256
Which is fine..
I still havent found a FTP server as good as G6 FTP server, in simplicity and performance, I always wonder why the creator dissapeared.
I’m running Gene6 v3.10.0.2
libeay32.dll
libssl32.dll
ssleay32.dll ( mine didn’t have is file )
I updated the settings.ini here D:\Program Files\Gene6 FTP Server\Different_Accounts\localdomain
During Service Startup it failed with this:
From Eventvwr
Faulting application G6FTPSERVER.EXE, version 3.10.0.2, faulting module unknown, version 0.0.0.0, fault address 0x010d0000.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Any Help would be appreciated.
Hi Mike, follow these instructions https://support.managed.com/kb/a499/gene6-ftp-server-service-does-not-start-in-windows-server-2008.aspx its similar to 2008.
awesome , thank you alcatron….that workaround worked to get the service started.
alcatron: how does your server score at https://www.ssllabs.com ?
Mine is only B due to using “TLS_RSA_WITH_AES_128_GCM_SHA256” without forward secrecy.
I had exactly same settings as in post above, started even reducing list of cipher suites but with no success.
hi Piotr, how are you doing this test? According to that site i can only test really websites with SSL and not FTP servers.
When you connect to a G6 FTP server with your FTP client you will see this, and you can see its using TLS v1.2
AUTH command ok; starting SSL connection.
TLSv1.2 negotiation successful…
TLSv1.2 encrypted session using cipher AES256-GCM-SHA384 (256 bits)
Data connection accepted from x.x.x.x:49166; transfer starting.
TLSv1.2 negotiation successful…
TLSv1.2 encrypted session using cipher AES256-GCM-SHA384 (256 bits)
Duh, sorry, forgot to mention that you need a domain bound to port 443 in order for this test to work. When I’m connecting to my server with Filezilla it shows: TLS 1.2 AES-128-GCM, similar as I posted before: TLS_RSA_WITH_AES_128_GCM_SHA256
Recommended set by SSLLabs is: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
In the FTP client are you able to choose a connect mode AUTH SSL or AUTH TLS for a site? Did you try both modes and see if that makes a difference?
You can perform tests with openssl.exe tool delivered with OpenSSL libraries, something like: openssl.exe s_client -connect your.server.address:990 -tls1_2
(can also use -tls1_1, -tls1, -ssl3 etc, but my server needs to use only TLS1.2)
For my server I get:
……
New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-GCM-SHA256
……..
while for a built in Windows IIS FTP server with SSLLabs A grade it is:
……..
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
……..
If I leave only: SSLCipherList=TLS-ECDHE-RSA-AES256-GCM-SHA384 I cannot connect to my server receiving handshake error 40. I don’t know if this is limitation of Gene6 or some problem with SSL libraries (got pretty new ones) or Windows…
Did you resolve issue with ECDHE ciphers?
After investigation I think it is limitation of Gene6. ECDHE key exchange is supported in 1.0.2 OpenSSL lib… Any ideas about it?
Alcatron,
After I successfully upgraded my Gene6, I could only CURL using TLS 1.2. All the other version failed for me using TLS 1.1 TLS 1.0 and SSLv3.
curl –tlsv1.1 -T D:\ ftps://:@/outbox/ -k -v
Error:
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.1 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.1 (OUT), TLS handshake, Client hello (1):
} [214 bytes data]
* TLSv1.1 (IN), TLS header, Unknown (21):
{ [5 bytes data]
* TLSv1.1 (IN), TLS alert, Server hello (2):
{ [2 bytes data]
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
0 0 0 0 0 0 0 0 –:–:– –:–:– –:–:– 0
* Closing connection 0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
TLS 1.2 is the industry standard, so dont worry about the others, as long as we have v1.2 working we are good.
Thx Alcatron,
I was able to test using WinSCP with different flavor of TLS. BTW, I heard TLS 1.3 just got adopted hopefully we will have a libary update for Gene6 to keep it going.
Hello,
it’s OK with “Open_SSL_Files_1.0.1e.zip”.
How to use the latest version of SSL libraries?
If I download the latest version from https://indy.fulgan.com/SSL, I don’t have “libssl32.dll”.
If I just replace “libeay32.dll”, it doesn’t work anymore. The Gene6 interface tells me that it cannot load the SSL libraries.
Thank you in advance 🙂
Hi JGD,
I had the same problem when I replicated your issue
If you use this site and install https://slproweb.com/download/Win32OpenSSL-1_0_2u.exe (this is the latest)
Install with option putting the ssl library files in /bin not in C windows.
Once installed copy the 3 x dll files to the G6 FTP directory from bin
libssl32.dll, libeay32.dll, ssleay32.dll
I got it working and it opened 🙂
hi mate
can you please upload those 3 dll to somewhere??
thank you!!
have you read what I posted above?
Shall I install Win32OpenSSL as well if I run Windows Server x64 bit?
Hi,
I know it might be offtopic, but in my search for help I stumbled across this thread.
I suddedly got the error mentioned here when clients connect to a g6 ftp server.
https://forum.filezilla-project.org/viewtopic.php?f=1&p=172705
It seems certificates created within the admin module are not properly signed.
I have tried my best to create this key and certificate using tools outside of the g6 ftp server, but when i put them in the G6 ftp server folder and select them for the domains I am no longer able to connect to the server.
Has anyone tried to create certificates for the server without using the buildin tool?
/Mega
I tested your solution, and i it’s works well except since my users started to use Filezilla 4.46.x & +.
Filezilla says ‘A certificate in the chain was signed using an insecure algorithm, Received certificate chain could not be verified.’ .
Did you find a solution ?
I tested your solution, and it’s works well, except since users stared to use FileZilla 3.46.x & +.
Did you have the same problem?
I solve my problem with Filezilla 4.46.x+ : i recreate a certificate not with Gene6 FTP (RSA-1024 / RSA-MD5), but with OpenSSL (RSA-2048 / RSA-SHA256).
set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg
cd /d C:\OpenSSL-Win32\bin\
openssl.exe req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout “c:\program files (x86)\Gene6 FTP Server\Certificates\New autocert.key” -out “c:\program files (x86)\Gene6 FTP Server\Certificates\New autocert.crt”
thanks you very much for your workaround !
Hi all!
Could you please help me? I am using G6 under x64 server OS. But x64 OpenSSL archives you specified (like openssl-1.0.2u-x64_86-win64) doesn’t offer any bin folder as well as openssl.cfg. Also, they call it not CFG, but CNF.
With no config file, OpenSSL doesn’t work.
Where I can get config file for OpenSSL x64?
G6 FTP server is no longer supported by the developer, people should move away from it, as no patches have been provided for a few years or updates, and is a security risk if you run it exposed externally.
Hi all!
Anyone was able to use TLS in FileZilla 3.56? After upgrade, Explicit TLS stopped working for me and clients.
From 3.56 changelog: “By default, the minimum allowed TLS version is now TLS 1.2”
From FileZilla connection log:
Status: Initializing TLS…
Error: GnuTLS error -15: An unexpected TLS packet was received.
Status: Connection attempt failed with “ECONNABORTED – Connection aborted”.
Finally i’ve could setting up Gene6 with ftps
1. extract Open_SSL_Files_1.0.1e.zip into Gene6ftp server folder
2. edit my settings.ini file by adding provided SSLCipherList
3. create new cert with openssl utility (because cert, created with gene6 has weak encription 1024bit and cause errors in some ftp clients):
– install Win32OpenSSL_Light-3_3_0.exe from https://slproweb.com/products/Win32OpenSSL.html
– create empty openssl.cfg in OpenSSL’s bin directory
– create new cert with command, posted above –
set OPENSSL_CONF=c:\Program Files (x86)\OpenSSL-Win32\bin\openssl.cfg
openssl.exe req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout “c:\program files (x86)\Gene6 FTP Server\Certificates\New autocert.key” -out “c:\program files (x86)\Gene6 FTP Server\Certificates\New autocert.crt”
4. enable explicit and implicit mode (21 and 990 ports)
5. start g6 server
profit
thanks to all for your advices!