Windows – IIS 7.5 FTPS stops working when disabling TLS 1.0

ftpstlswindows

Trying to get a windows 2008 R2 server to the latest PCI standards, which require disabling of TLS 1.0

FTPS stops working once TLS 1.0 is disabled. TLS 1.1 and 1.2 are enabled and all other SSL items (RDP and websites) are working using TLS 1.1 or 1.2 correctly.

Our clients use Core FTP to FTPS to the server (since this appears to be the only FTP software that worked stably with FTPS)

234 AUTH command ok. Expecting TLS Negotiation. TLSv1, cipher TLSv1/SSLv3 (RC4-MD5) - 128 bit

is Core FTP connecting to our server with TLS 1.0 enabled. Once disabled and server rebooted, a connection cannot be established to the server at all.

There doesn't appear to be anywhere in CoreFTP or IIS 7.5 to set which versions of TLS to use. All settings for PCI have been changing using the crypto tool to ensure they are correct.

Any suggestions, or is this another issue with Microsoft products simply not working without TLS 1.0 or SSLv3?

Best Answer

Coreftp does not support anything higher than TLS 1.0. I suggest you use smartftp, which supports up to TLS 1.2.

Related Solutions

SSLCipherSuite – disable weak encryption, cbc cipher and md5 based algorithm

If their only complaint is MD5-based MAC, you should be able to simply add the !MD5 element to your existing cipher suite to meet the recommendation.

That said, I see they complain about the use of the CBC mode as well. Unfortunately, there is no CBC cipher group. The recommendation given to you also does not exclude CBC mode cipherspecs, at least on my version of openSSL (1.0.1e). This is a shame. If you need all such ciphers to be excluded, you could exclude all the CBC ones explicitly, though you will have to update that as they are included. Note that even HIGH includes CBC ciphers.

Including both ALL and RC4+RSA is redundant. I would be loathe to trust a security consultant (even a computerized one) that cannot even construct a well-formed cipherspec that meets their own recommendations.

The SSLCipherSuite takes an OpenSSL cipher spec. You can find this in the openssl documentation (link), but I find that this documentation is usually quite out of date. However, you can test one by running openssl ciphers ${cipherspec} on your server; output will be a :-separated list of ciphers that would be allowed by the given spec, or an error indicating none were allowed.

Similarly, if you want to know what LOW contains, do:

falcon@tiernyn ~ $ openssl ciphers 'LOW'
EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:ADH-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5

!LOW means to exclude those ones. +HIGH means to prefer the high-security ones in the ordering.

If you want a line-delimited list of all the ciphers that use CBC in your cipherspec, do:

openssl ciphers ${cipherspec} | sed 's/:/\n/g' | grep CBC

Those are the ones you'd have to exclude. You may, however, find it more reasonable to grep -v CBC and include only those (just set them up in a :-delimited list and use that as the cipherspec).

Enable TLS 1.0 in windows 2008 R2

TLS 1.0 is enabled by default in Server 2008 R2.

Applies To: Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

[...]

This subkey controls the use of TLS 1.0.

Applicable versions: As designated in the Applies To list that is at the beginning of this topic.

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

To disable the TLS 1.0 protocol, create an Enabled entry in the appropriate subkey. This entry does not exist in the registry by default. After you have created the entry, change the DWORD value to 0. To enable the protocol, change the DWORD value to 0xffffffff.

Source: http://technet.microsoft.com/en-us/library/dn786418.aspx

Best Answer

Related Solutions

SSLCipherSuite – disable weak encryption, cbc cipher and md5 based algorithm

Enable TLS 1.0 in windows 2008 R2

Related Topic