How to enable TLS 1.1 minimum on vsftpd

Question

I'm trying to secure my infrastructure to meet the PCI-DSS standard using securitymetrics.com. The standard mandates the use of TLS 1.1 minimum (with a CBC cipher). TLS 1.0 is not allowed.

While securing ftp (vsftpd), I have disabled sslv2 and sslv3, but couldn't block TLS 1.0 without also disabling TLS 1.1 and TLS 1.2. The config file has the ssl_tlsv1 option that can be set to YES or NO, but I don't see any way to distinguish between 1.0 and later versions.

How can I enable only TLS 1.1 and better?

You are working with an unconventional definition of "securing". Can you describe more precisely what you are trying to do? Do you want to turn encryption off entirely? — Law29, Jul 18 '16 at 19:02
I'm doing for passing PCI securitymetrics.com it showing Tlsv1.0 is enabled and the server support least one cipher — adminz, Jul 18 '16 at 19:12
Then I can't connect using filezilla and cuteftp. Also can l enable tlsv1.1 by ssl_tls1.1=yes ? — adminz, Jul 18 '16 at 19:40
I would suggest : `ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO ssl_ciphers=HIGH` — krisFR, Jul 18 '16 at 20:02
I have done like this, but securemetrics showstls 1.0 is enabled. — adminz, Jul 18 '16 at 20:05
My employer is PCI certified, but we never tried to secure FTP. At this point I would go to http://vsftpd.beasts.org/vsftpd_conf.html and contact the e-mail address at the bottom . . . and then come back here and answer your own question! — Law29, Jul 19 '16 at 06:41
I edited your question, summarizing what you told us in the comments, so that people will understand better. If I misunderstood something please re-edit the question or make a comment containing "@Law29" — Law29, Jul 19 '16 at 11:13
I have done by ssl_tlsv1=NO ssl_sslv2=NO ssl_sslv3=NO ssl_ciphers=HIGH and I can connect with filezilla but cuteftp not connecting. — adminz, Jul 19 '16 at 22:44

score 4 · Answer 1 · edited Nov 30 '19 at 02:41

4

Answer isn't posted, so I thought I'd follow up for the rest...

To disable TLSv1.0 and enable TLSv1.1 and TLSv1.2 just add these two lines and change the third:

ssl_tlsv1_2=YES
ssl_tlsv1_1=YES
ssl_tlsv1=NO

Note that these options are only available with a patched version of vsftpd, and seems to be only installed on CentOS, and specifically not on Ubuntu. Other distributions may have the patched version as well.

edited Nov 30 '19 at 02:41

Neil

2,425
8
36
45

answered Apr 27 '17 at 23:58

Rhino

41
2

3

This causes an error when this configuration is used. It doesn't detect `ssl_tlsv1_2` and `ssl_tlsv1_1` as valid arguments. – Daniel Harris May 28 '19 at 18:03
@DanielHarris dod you find a solution? – Fede E. Aug 01 '19 at 16:03
1

Where the hell did you get this configuration? It's not even in the manual! – The Quantum Physicist Nov 19 '19 at 17:00
1

@TheQuantumPhysicist These options only work with RHEL distributions as they introduced a patch to implement it – navjotjsingh Jun 07 '20 at 15:26

score 3 · Answer 2 · edited Feb 07 '20 at 07:16

It seems the current official version 3.0.3 actually works fine without the RHEL patch as it seems you do can limit connection to TLSv1.2.
As @Chris Kennedy write, you can set the following option in the config-file:

#Options: SSLv3, TLSv1.0, TLSv1.2, HIGH (see man ciphers)
ssl_ciphers=TLSv1.2

WinSCP Client test results:

Set client to Max SSL 3.0:
Connection failed

Set client to Max TLS 1.0:
Connection failed

Set client to Max TLS 1.1
Connection failed

Set client to Max TLS 1.2:
Connection succeed!

Log from WinSCP ver. 5.15.3 with TLS 1.2 connection:

...
. 2020-02-06 15:50:21.774 TLS connect: SSLv3 read server hello A
. 2020-02-06 15:50:21.775 TLS connect: SSLv3 read finished A
. 2020-02-06 15:50:21.775 TLS connect: SSLv3 write change cipher spec A
. 2020-02-06 15:50:21.775 TLS connect: SSLv3 write finished A
. 2020-02-06 15:50:21.775 TLS connect: SSLv3 flush data
. 2020-02-06 15:50:21.775 Using TLSv1.2, cipher TLSv1/SSLv3: ECDHE-RSA-AES256-GCM-        SHA384, 2048 bit RSA, ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
. 2020-02-06 15:50:21.775 TLS connection established

I did also play around with the other TLSv1.2, TLSv1.0, SSLv3 option-values, and they seem to be respected.

score 0 · Answer 3 · answered Feb 16 '17 at 22:12

0

To limit VSFTPD to TLS 1.2, try setting: ssl_ciphers=TLSv1.2

I don't know if there's an easy way to limit the connection to TLS 1.1 and 1.2.

answered Feb 16 '17 at 22:12

Chris Kennedy

109
2

score 0 · Answer 4 · answered Aug 21 '19 at 20:42

0

The vsftpd options of ssl_tlsv1_1 and ssl_tlsv1_2 appear to have been introduced in a patch called vsftpd-2.2.2-tlsv1_2.patch that is included in the vsftpd source code for RHEL-based distributions (checked on CentOS 7). The official vsftpd website and source code from Ubuntu repositories do not appear to include this patch or these tunable options (checked on Ubuntu 18.04).

answered Aug 21 '19 at 20:42

Gregoroni

1

2

Added a link to the Ubuntu launchpad item for this: https://bugs.launchpad.net/ubuntu/+source/vsftpd/+bug/1804430 – Gregoroni Aug 21 '19 at 21:10

How to enable TLS 1.1 **minimum** on vsftpd

4 Answers4

How to enable TLS 1.1 minimum on vsftpd