ftp: allow insecure TLS ciphers - fixes #8701

Signed-off-by: Anagh Kumar Baranwal <6824881+darthShadow@users.noreply.github.com>

backend/ftp/ftp.go

@@ -163,6 +163,16 @@ Enabled by default. Use 0 to disable.`,
 			Help:     "Disable TLS 1.3 (workaround for FTP servers with buggy TLS)",
 			Default:  false,
 			Advanced: true,
+		}, {
+			Name: "allow_insecure_tls_ciphers",
+			Help: `Allow insecure TLS ciphers
+
+Setting this flag will allow the usage of the following TLS ciphers in addition to the secure defaults:
+
+- TLS_RSA_WITH_AES_128_GCM_SHA256
+`,
+			Default:  false,
+			Advanced: true,
 		}, {
 			Name:     "shut_timeout",
 			Help:     "Maximum time to wait for data connection closing status.",
@@ -244,6 +254,7 @@ type Options struct {
 	ExplicitTLS             bool                 `config:"explicit_tls"`
 	TLSCacheSize            int                  `config:"tls_cache_size"`
 	DisableTLS13            bool                 `config:"disable_tls13"`
+	AllowInsecureTLSCiphers bool                 `config:"allow_insecure_tls_ciphers"`
 	Concurrency             int                  `config:"concurrency"`
 	SkipVerifyTLSCert       bool                 `config:"no_check_certificate"`
 	DisableEPSV             bool                 `config:"disable_epsv"`
@@ -407,6 +418,14 @@ func (f *Fs) tlsConfig() *tls.Config {
 		if f.opt.DisableTLS13 {
 			tlsConfig.MaxVersion = tls.VersionTLS12
 		}
+		if f.opt.AllowInsecureTLSCiphers {
+			var ids []uint16
+			// Read default ciphers
+			for _, cs := range tls.CipherSuites() {
+				ids = append(ids, cs.ID)
+			}
+			tlsConfig.CipherSuites = append(ids, tls.TLS_RSA_WITH_AES_128_GCM_SHA256)
+		}
 	}
 	return tlsConfig
 }