Jumping to the end of the thread, it looks like this is an FTP issue that repros when TLS 1.2 is negotiated. Not a TLS version intolerance. The conclusion seems to be that https://support.microsoft.com/en-us/kb/2888853 resolves the issue, by updating FTP binaries.
Cheers, Andrei From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of David Benjamin Sent: Tuesday, June 7, 2016 2:08 PM To: Yoav Nir <ynir.i...@gmail.com>; Hubert Kario <hka...@redhat.com> Cc: tls@ietf.org Subject: Re: [TLS] [FORGED] Re: no fallbacks please [was: Downgrade protection, fallbacks, and server time] On Tue, Jun 7, 2016 at 5:06 PM Yoav Nir <ynir.i...@gmail.com<mailto:ynir.i...@gmail.com>> wrote: > On 7 Jun 2016, at 8:33 PM, Hubert Kario > <hka...@redhat.com<mailto:hka...@redhat.com>> wrote: > > On Tuesday 07 June 2016 17:36:01 Yoav Nir wrote: >> I’m not sure this helps. >> >> I’ve never installed a server that is version intolerant. TLS stacks >> from OpenSSL, Microsoft, > > are you sure about that Microsoft part? > > there is quite a long thread on the filezilla forums about TLS version > tolerance in IIS: > https://forum.filezilla-project.org/viewtopic.php?f=2&t=27898 That’s surprising. The last time I tested with an IIS servers it was Windows Server 2003 and 2008. They did not support TLS 1.2, so I wanted to check if they could tolerate a TLS 1.2 ClientHello. They did. Of course, they replied with TLS 1.0, but that was expected. It’s strange that this behavior would degrade for much newer versions of Windows that came out at a time where several browsers were already offering TLS 1.2. I wonder if it’s just the FTP or also IIS. This is the first I've heard of this and I believe neither Chrome nor Firefox accept TLS 1.2 intolerance and below anymore. To my knowledge, that has successfully been driven out of the ecosystem. David
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls