From d71a4195d68f2a3b0b5359240036e9770962c8d6 Mon Sep 17 00:00:00 2001 From: Anagh Kumar Baranwal <6824881+darthShadow@users.noreply.github.com> Date: Wed, 23 Jul 2025 20:20:31 +0530 Subject: [PATCH] ftp: allow insecure TLS ciphers - fixes #8701 Signed-off-by: Anagh Kumar Baranwal <6824881+darthShadow@users.noreply.github.com> --- backend/ftp/ftp.go | 65 ++++++++++++++++++++++++++++++---------------- 1 file changed, 42 insertions(+), 23 deletions(-) diff --git a/backend/ftp/ftp.go b/backend/ftp/ftp.go index 8fbf3ee4a..aedc3ea42 100644 --- a/backend/ftp/ftp.go +++ b/backend/ftp/ftp.go @@ -163,6 +163,16 @@ Enabled by default. Use 0 to disable.`, Help: "Disable TLS 1.3 (workaround for FTP servers with buggy TLS)", Default: false, Advanced: true, + }, { + Name: "allow_insecure_tls_ciphers", + Help: `Allow insecure TLS ciphers + +Setting this flag will allow the usage of the following TLS ciphers in addition to the secure defaults: + +- TLS_RSA_WITH_AES_128_GCM_SHA256 +`, + Default: false, + Advanced: true, }, { Name: "shut_timeout", Help: "Maximum time to wait for data connection closing status.", @@ -236,29 +246,30 @@ a write only folder. // Options defines the configuration for this backend type Options struct { - Host string `config:"host"` - User string `config:"user"` - Pass string `config:"pass"` - Port string `config:"port"` - TLS bool `config:"tls"` - ExplicitTLS bool `config:"explicit_tls"` - TLSCacheSize int `config:"tls_cache_size"` - DisableTLS13 bool `config:"disable_tls13"` - Concurrency int `config:"concurrency"` - SkipVerifyTLSCert bool `config:"no_check_certificate"` - DisableEPSV bool `config:"disable_epsv"` - DisableMLSD bool `config:"disable_mlsd"` - DisableUTF8 bool `config:"disable_utf8"` - WritingMDTM bool `config:"writing_mdtm"` - ForceListHidden bool `config:"force_list_hidden"` - IdleTimeout fs.Duration `config:"idle_timeout"` - CloseTimeout fs.Duration `config:"close_timeout"` - ShutTimeout fs.Duration `config:"shut_timeout"` - AskPassword bool `config:"ask_password"` - Enc encoder.MultiEncoder `config:"encoding"` - SocksProxy string `config:"socks_proxy"` - HTTPProxy string `config:"http_proxy"` - NoCheckUpload bool `config:"no_check_upload"` + Host string `config:"host"` + User string `config:"user"` + Pass string `config:"pass"` + Port string `config:"port"` + TLS bool `config:"tls"` + ExplicitTLS bool `config:"explicit_tls"` + TLSCacheSize int `config:"tls_cache_size"` + DisableTLS13 bool `config:"disable_tls13"` + AllowInsecureTLSCiphers bool `config:"allow_insecure_tls_ciphers"` + Concurrency int `config:"concurrency"` + SkipVerifyTLSCert bool `config:"no_check_certificate"` + DisableEPSV bool `config:"disable_epsv"` + DisableMLSD bool `config:"disable_mlsd"` + DisableUTF8 bool `config:"disable_utf8"` + WritingMDTM bool `config:"writing_mdtm"` + ForceListHidden bool `config:"force_list_hidden"` + IdleTimeout fs.Duration `config:"idle_timeout"` + CloseTimeout fs.Duration `config:"close_timeout"` + ShutTimeout fs.Duration `config:"shut_timeout"` + AskPassword bool `config:"ask_password"` + Enc encoder.MultiEncoder `config:"encoding"` + SocksProxy string `config:"socks_proxy"` + HTTPProxy string `config:"http_proxy"` + NoCheckUpload bool `config:"no_check_upload"` } // Fs represents a remote FTP server @@ -407,6 +418,14 @@ func (f *Fs) tlsConfig() *tls.Config { if f.opt.DisableTLS13 { tlsConfig.MaxVersion = tls.VersionTLS12 } + if f.opt.AllowInsecureTLSCiphers { + var ids []uint16 + // Read default ciphers + for _, cs := range tls.CipherSuites() { + ids = append(ids, cs.ID) + } + tlsConfig.CipherSuites = append(ids, tls.TLS_RSA_WITH_AES_128_GCM_SHA256) + } } return tlsConfig }