Press "Enter" to skip to content

Enable TLS 1.2 on G6 FTP Server

With many security issues with TLS 1.0 and using SSL Encrypted FTP services, it is time to move on the TLS 1.2 which is an updated version of the SSL layer with better encryption and security.

Some of the FTP sites which I had have implemented TLS 1.2 on various linux systems, however I really needed to implement this on my G6 FTP which i still like to use and have found it a top performance FTP server on windows systems. So to do this we do the following:

Drop in OpenSSL >=1.0 (libeay32.dll, ssleay32.dll, libssl32.dll) as a replacement in your G6 installation directory, and add the following line to your settings.ini files for SSL-enabled FTP domains, you can find the files in the Accountsyourdomainname subfolders of your G6 FTP installation (scroll across for the full line to copy):

SSLCipherList=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA

I have included Open SSL Files for your convenience to download here and copy to the G6 install directory:
Open_SSL_Files_1.0.1e.zip

13 Comments

  1. Ron
    Ron August 24, 2017

    I know this is an old post (and old software); however, I appreciate your efforts to create it. When you have time, I would like to see if you could update it based on the latest OpenSSL files and cipher string.
    Thanks again,
    Ron

  2. alcatron
    alcatron September 4, 2017

    Hi Ron,

    You can get updated SSL Files from here https://indy.fulgan.com/SSL/

    What kind of cipher are you needing?

    The above setting when i set it shows in my FTP client as:

    Encryption algorithm: TLSv1.2 AES256-GCM-SHA384-256

    Which is fine..

    I still havent found a FTP server as good as G6 FTP server, in simplicity and performance, I always wonder why the creator dissapeared.

  3. Mike
    Mike February 1, 2018

    I’m running Gene6 v3.10.0.2

    libeay32.dll
    libssl32.dll
    ssleay32.dll ( mine didn’t have is file )

    I updated the settings.ini here D:\Program Files\Gene6 FTP Server\Different_Accounts\localdomain

    During Service Startup it failed with this:

    From Eventvwr
    Faulting application G6FTPSERVER.EXE, version 3.10.0.2, faulting module unknown, version 0.0.0.0, fault address 0x010d0000.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Any Help would be appreciated.

  4. Mike
    Mike March 13, 2018

    awesome , thank you alcatron….that workaround worked to get the service started.

  5. Piotr
    Piotr March 16, 2018

    alcatron: how does your server score at https://www.ssllabs.com ?
    Mine is only B due to using “TLS_RSA_WITH_AES_128_GCM_SHA256” without forward secrecy.
    I had exactly same settings as in post above, started even reducing list of cipher suites but with no success.

  6. alcatron
    alcatron March 16, 2018

    hi Piotr, how are you doing this test? According to that site i can only test really websites with SSL and not FTP servers.

    When you connect to a G6 FTP server with your FTP client you will see this, and you can see its using TLS v1.2

    AUTH command ok; starting SSL connection.
    TLSv1.2 negotiation successful…
    TLSv1.2 encrypted session using cipher AES256-GCM-SHA384 (256 bits)

    Data connection accepted from x.x.x.x:49166; transfer starting.
    TLSv1.2 negotiation successful…
    TLSv1.2 encrypted session using cipher AES256-GCM-SHA384 (256 bits)

  7. Piotr
    Piotr March 16, 2018

    Duh, sorry, forgot to mention that you need a domain bound to port 443 in order for this test to work. When I’m connecting to my server with Filezilla it shows: TLS 1.2 AES-128-GCM, similar as I posted before: TLS_RSA_WITH_AES_128_GCM_SHA256
    Recommended set by SSLLabs is: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  8. alcatron
    alcatron March 16, 2018

    In the FTP client are you able to choose a connect mode AUTH SSL or AUTH TLS for a site? Did you try both modes and see if that makes a difference?

  9. Piotr
    Piotr March 17, 2018

    You can perform tests with openssl.exe tool delivered with OpenSSL libraries, something like: openssl.exe s_client -connect your.server.address:990 -tls1_2
    (can also use -tls1_1, -tls1, -ssl3 etc, but my server needs to use only TLS1.2)
    For my server I get:
    ……
    New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : AES128-GCM-SHA256
    ……..
    while for a built in Windows IIS FTP server with SSLLabs A grade it is:
    ……..
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES256-GCM-SHA384
    ……..

    If I leave only: SSLCipherList=TLS-ECDHE-RSA-AES256-GCM-SHA384 I cannot connect to my server receiving handshake error 40. I don’t know if this is limitation of Gene6 or some problem with SSL libraries (got pretty new ones) or Windows…

  10. Mike
    Mike March 20, 2018

    Alcatron,

    After I successfully upgraded my Gene6, I could only CURL using TLS 1.2. All the other version failed for me using TLS 1.1 TLS 1.0 and SSLv3.

    curl –tlsv1.1 -T D:\ ftps://:@/outbox/ -k -v

    Error:

    * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
    * TLSv1.1 (OUT), TLS header, Certificate Status (22):
    } [5 bytes data]
    * TLSv1.1 (OUT), TLS handshake, Client hello (1):
    } [214 bytes data]
    * TLSv1.1 (IN), TLS header, Unknown (21):
    { [5 bytes data]
    * TLSv1.1 (IN), TLS alert, Server hello (2):
    { [2 bytes data]
    * error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
    0 0 0 0 0 0 0 0 –:–:– –:–:– –:–:– 0
    * Closing connection 0
    curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

  11. alcatron
    alcatron March 21, 2018

    TLS 1.2 is the industry standard, so dont worry about the others, as long as we have v1.2 working we are good.

  12. Mike
    Mike March 27, 2018

    Thx Alcatron,

    I was able to test using WinSCP with different flavor of TLS. BTW, I heard TLS 1.3 just got adopted hopefully we will have a libary update for Gene6 to keep it going.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.