We're using IIS 7.5 with Windows Server 2008 and there appears to be a known bug in IIS7.5 where, when using TLS 1.1 with AES-256-CBC the server accepts connections and seems to accept uploaded files; however, after a file is uploaded, it responds with error"550 The supplied message is incomplete. The signature was not verified" and deletes the file. The problem seems to be:
"At the end of a TLS session, the party wishing to close the connection must send a closure alert over the encrypted channel. This is needed to distinguish between an orderly end of the session and an attacker dropping connections...Upon seeing the closure alert, it fails the transfer with "550 The supplied message is incomplete. The signature was not verified." and deletes the complete file."
ref ( https://forum.filezilla-project.org/viewtopic.php?f=2&t=27898&start=120 ). Apparently there is a hotfix for Windows 8.1 and Server 2012 to address this: ( http://support.microsoft.com/kb/2888853 ).
Apparently there is a workaround to put an RC4 algorithm at the top of the list so it will be chosen, but we have a strict requirement to use AES-256-CBC.
Everything works find with TLS 1.0 and AES-256, but we also have the requirement to use TLS 1.1.
Does anyone know if Microsoft has a fix for Windows 2008 or some "workaround" to enable us to use the IIS 7.5 FTPS server with TLS 1.1 and AES-256-CBC algorithm?
Thanks.