0

We are unable to get TLS 1.3 to work with FTPS on IIS on a Windows Server 2022. FTPS on IIS has been working fine for many years, and it relies (to my knowledge) on the Windows Server's schannel for ssl/tls support. This means, by running a Windows Server 2022 it should support TLS 1.3, which is also true for standard web application.

We installed a Windows Server 2022 standard server and installed normal IIS roles with FTP features. Then disabled TLS 1.0 and 1.1 and configured FTPS and Web Server.

For the FTPS service it only supports TLS 1.2 as shown by nmap

PORT    STATE SERVICE VERSION
990/tcp open  ssl/ftp Microsoft ftpd
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|_  least strength: C
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

For standard https web application on same server using nmap

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.3:
|     ciphers:
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (secp384r1) - A
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|  least strength: C

List of available ciphers

PS C:\Users\Administrator> Get-TLsCipherSuite | Format-Table Name
Name                                   
----                                   
TLS_AES_256_GCM_SHA384                 
TLS_AES_128_GCM_SHA256                 
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384    
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256    
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384  
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256  
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA   
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA   
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA     
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA     
TLS_RSA_WITH_AES_256_GCM_SHA384        
TLS_RSA_WITH_AES_128_GCM_SHA256        
TLS_RSA_WITH_AES_256_CBC_SHA256        
TLS_RSA_WITH_AES_128_CBC_SHA256        
TLS_RSA_WITH_AES_256_CBC_SHA           
TLS_RSA_WITH_AES_128_CBC_SHA           
TLS_RSA_WITH_3DES_EDE_CBC_SHA          
TLS_RSA_WITH_NULL_SHA256               
TLS_RSA_WITH_NULL_SHA                  
TLS_PSK_WITH_AES_256_GCM_SHA384        
TLS_PSK_WITH_AES_128_GCM_SHA256        
TLS_PSK_WITH_AES_256_CBC_SHA384        
TLS_PSK_WITH_AES_128_CBC_SHA256        
TLS_PSK_WITH_NULL_SHA384               
TLS_PSK_WITH_NULL_SHA256

Any ideas if TlS 1.3 is not working/supported with FTPS on IIS, or what the issue is?

Update 2024-07-02: It appears that I am not the only one experiencing difficulties with this issue. Many individuals have opted to use third-party software for FTPS servers instead of relying on FTPS with IIS when TLS 1.3 is required. We are currently doing the same by exploring SFTPGo due to its cross-platform compatibility and feature set.

Improve this question
2
  • TLS 1.3 is supported starting in Windows Server 2022, do you get any error messages when you use TLS 1.3? Commented Jun 25, 2024 at 8:54
  • The only error I see, is when client is connecting with TLS 1.3 the event log says: "An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed. The SSPI client process is svchost[ftpsvc] (PID: 5536)" This is when enforcing connection with TLS 1.3 from the client's side "openssl s_client -connect <server>:990 -tls1_3" Commented Jul 1, 2024 at 5:24
Related questions
8
Fix Chrome notification about obsolete encryption in IIS8.5 and SQL Server 2012
366
Unable to launch the IIS Express Web server (various cases in answers)
326
Using Custom Domains With IIS Express
Load 3 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.