Problem

Is Transfer CFT vulnerable to Extended Master Secret TLS Extension (TLS triple handshake) ?

Following a security scan, it was detected on a CFT port that there was a vulnerability related to EMS TLS.

Report says:
" Host is Vulnerable to Extended Master Secret TLS Extension (TLS triple handshake) port 1762/tcp over SSL

Resolution

Transfer CFT does not support renegotiation it makes it not vulnerable to spoofing attacks using existing sessions.

Even if CFT 3.3.x is not compliant with RFC 7627. (embedded OpenSSL version is 1.0.2k 26 Jan 2017)

CVE-2015-6112 is related to old Windows system that may connect to CFT Ref.: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6112.

"Normally clients and servers will transparently attempt to negotiate the RFC7627 Extended Master Secret option on TLS and DTLS connection."

According to https://www.smartftp.com/fr-fr/support/kb/2766, it is supported since 1.1.0. Extract:
"OpenSSL, which is used by most servers, supports EMS since version 1.1.0 (released 25th August 2016)."

So it will be fixed in Transfer CFT version 3.7 that will include Openssl 1.1.1 (3.0).