0 votes
by (240 points)

Hello,

I cannot find how to disable SNI and Renegotiation Indication Extension when connecting to an FTPS site.

The site is an IBM mainframe that does not support TLS 1.2, so I am forcing a TLS 1.1 handshake.

The site works perfectly with RebEx 2015 R4.1, but it does not work with RebEx 2017 R6.3. When I run a Wireshark capture on both connections, the only difference between the two versions is that RebEx 2017 R6.3 is adding the SNI extension to the Client Hello, and the TLSEMPTYRENEGOTIATIONINFOSCSV cipher to the list of cipher suites. (It was originally also adding the elliptical curve ciphers as well as two extensions relating to elliptical curves, but those disappeared when I explicitly disabled elliptical curves using the SslAllowedCurves setting.)

The server immediately disconnects after receiving the Client Hello. I have a feeling that it's the SNI extension, because the older RebEx version did not use any SSL extensions at all.

Is there a way to disable SNI and the Renegotiation Indication Extension so that the new version of RebEx will emulate the old one in the Client Hello?

Applies to: Rebex FTP/SSL
by (144k points)
Although this currently cannot be configured easily, we will create a hotfix build that adds Ftp.Settings.SslRenegotiationExtensionEnabled property and send you a link shortly.

1 Answer

0 votes
by (3.9k points)
edited by

Update: This feature is available since Rebex FTP/SSL 2018 R1.


The hotfix is ready and the link is sent to your email. You can set the this property following way:

 ftpClient.Settings.SslRenegotiationExtensionEnabled = true;

This feature will be included in the next release.

by (240 points)
Thank you!  I received an email, but it did not contain the link to download the hotfix, it only contained this answer.

Will this hotfix also allow me to disable SNI?  I have a feeling that it's the SNI (Server Name Indication) extension that is breaking the SSL handshake.  I will try disabling them both and see if it works, then enable each separately to see if it's just one setting or a combination of the two that is causing it to fail.  Thanks!
by (3.9k points)
Sorry for inconvinience. The email has been sent again.

Yes, the hotfix also let you to disable SNI. It can be acheived the following way:

    ftpClient.Settings.SslServerNameIndicationEnabled = false;
...