Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1363629 - Unable to do TLSv1.2 negotiation with LFTP and GNUTLS
Summary: Unable to do TLSv1.2 negotiation with LFTP and GNUTLS
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: lftp
Version: 6.8
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Michal Ruprich
QA Contact: BaseOS QE - Apps
Depends On:
Blocks: 1359261
TreeView+ depends on / blocked
Reported: 2016-08-03 09:01 UTC by Olivier BONHOMME
Modified: 2017-03-21 11:00 UTC (History)
5 users (show)

Fixed In Version: lftp-4.0.9-11.el6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-03-21 11:00:16 UTC
Target Upstream Version:

Attachments (Terms of Use)
I created a patch that fits the current lft version in RHEL6 (4.0.9) (deleted)
2016-09-23 07:27 UTC, Michal Ruprich
no flags Details | Diff
Testing package (deleted)
2016-09-23 07:43 UTC, Michal Ruprich
no flags Details

System ID Priority Status Summary Last Updated
Github #117 None None None 2016-08-03 09:01:39 UTC
Red Hat Product Errata RHBA-2017:0701 normal SHIPPED_LIVE lftp bug fix update 2017-03-21 12:39:48 UTC

Description Olivier BONHOMME 2016-08-03 09:01:40 UTC
Description of problem:

It is not possible to make a TLSv1.2 negotiation using the lftp packaged in RHEL-6 distribution (Even in the last release). Actually, even if gnutls has been patched in order to enable TLSv1.2 support, the structure defining the protocol priority excluded TLSv1.2 from the usable protocol in a default behaviour.

The issue is that lftp provided in RHEL-6 doesn't implement the ssl:priority directive which allows overriding GNUTLS negociation priority.

That's why it's not possible using TLSv1.2 protocol with lftp. 

Version-Release number of selected component (if applicable): lftp-4.0.9-6.el6_8.2.

How reproducible:

Make a connection on a FTP server allowing only TLSv1.2 protocol.

Actual results:

lftp returns an error message provided by gnutls: A TLS packet with unexpected length was received. The FTP servers says that the negotiation is failed returning a 550 error code.  (TLS Handshake failed)

Expected results:

The negotiation in TLSv1.2 should be okay and the FTP connection operational.

Additional info:

The ssl:priority option has been implemented on the following commit :

RedHat team already did the job for RHEL-7 :!lftp/373a02466b773fe2dbbfde702aec1848e006ba70/SOURCES!lftp-4.4.8-ssl-tls-restrict.patch

Comment 3 Michal Ruprich 2016-09-23 07:27:16 UTC
Created attachment 1203998 [details]
I created a patch that fits the current lft version in RHEL6 (4.0.9)

Comment 4 Michal Ruprich 2016-09-23 07:43:55 UTC
Created attachment 1204019 [details]
Testing package

Comment 5 Michal Ruprich 2016-09-26 05:23:26 UTC
Would it be possible for you to test whether the negotiation works with the changes I made in testing package I posted?

Comment 7 Olivier BONHOMME 2016-09-28 09:16:01 UTC
I've just tested the test RPM provided and here are my results.

Test case : A proftpd server forced to accept only TLSv1.2 connections (Directive TLSProtocol set to value TLSv1.2)

The RPM has been installed on a RHEL system.

The ssl:priority directive is now available into lftp software. I set the directive to "NORMAL:+VERS-TLS1.2" (GnuTLS priority string format)

The connection is now successful using lftp on the proftpd server. Authentication is OK and directory listing is OK.

Comment 13 errata-xmlrpc 2017-03-21 11:00:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.