getting error: Primary connection and data connection certif

Come here to discuss FileZilla and FTP in general

Moderator: Project members

Post Reply
Message
Author
nix4me
500 Syntax error
Posts: 14
Joined: 2007-12-24 16:39
First name: Mark

getting error: Primary connection and data connection certif

#1 Post by nix4me » 2008-07-31 02:19

When downloading from a drftpd server, i am getting some errors on files. the error is: Primary connection and data connection certificates don't match.

When getting this error, it skips the file and moves on to the next file.

Any idea why this happens? LFTP does not do this. I tried the same download with both clients. I am using Fedora 9 with filezilla 3.0.11.1.

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: getting error: Primary connection and data connection certif

#2 Post by botg » 2008-07-31 08:17

It's a security measure. If control connection and data connection certificates do not match, it is usually a sign of an attacker trying to push malicious files onto you.

Please upgrade to a better server.

nix4me
500 Syntax error
Posts: 14
Joined: 2007-12-24 16:39
First name: Mark

Re: getting error: Primary connection and data connection certif

#3 Post by nix4me » 2008-07-31 21:58

Any way to turn off this security measure? This is a trusted server and I would like to use Filezilla on it.

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: getting error: Primary connection and data connection certif

#4 Post by botg » 2008-07-31 22:31

No. But you can download the source code of FileZilla, perform the necessary changes (easy to find) and compile a new executable for yourself.

nix4me
500 Syntax error
Posts: 14
Joined: 2007-12-24 16:39
First name: Mark

Re: getting error: Primary connection and data connection certif

#5 Post by nix4me » 2008-07-31 23:16

Any clues on what source file to start looking in?

nix4me
500 Syntax error
Posts: 14
Joined: 2007-12-24 16:39
First name: Mark

Re: getting error: Primary connection and data connection certif

#6 Post by nix4me » 2008-07-31 23:42

Looks like i found it.
{
if (m_implicitTrustedCert.size != cert_list[0].size ||
memcmp(m_implicitTrustedCert.data, cert_list[0].data, cert_list[0].size))
{
m_pOwner->LogMessage(::Error, _("Primary connection and data connection certificates don't match."));
Failure(0, ECONNABORTED);
return FZ_REPLY_ERROR;
}

TrustCurrentCert(true);

if (m_tlsState != conn)
return FZ_REPLY_ERROR;
return FZ_REPLY_OK;
}

I'm just not sure how to disable it. i am no programmer.

opptic
500 Command not understood
Posts: 1
Joined: 2009-08-18 09:46

Re: getting error: Primary connection and data connection certif

#7 Post by opptic » 2009-08-18 10:04

It is not always you have control of what ftp server you are connecting to. There for, saying you should get a better ftp server software is not realy helping.

There are other ftp clients where you can turn off this featur, or ignore its security precautions. As it is for me, I don't realy think there is "sign of an attacker trying to push malicious files onto you". It's just some lazy ftp-admin that don't care about certificates and just cares about the encryption.

I guess I should post this as feature request. There should be a checkbox in the preffernce window where you can disable certificates mismatch. Or better, to have this box per site, in the site manager window. In that way I could just disable those sites I think is safe.

To answer nix4me. It would be safe just to uncomment the "if" clause. I.E. The if line to 6 lines down.

Cypress
226 Transfer OK
Posts: 121
Joined: 2008-09-13 19:39
First name: J

Re: getting error: Primary connection and data connection certif

#8 Post by Cypress » 2009-08-18 10:42

nix4me wrote:I'm just not sure how to disable it. i am no programmer.
insert the /* */ where I put them.

Code: Select all

{
		/*if (m_implicitTrustedCert.size != cert_list[0].size ||
			memcmp(m_implicitTrustedCert.data, cert_list[0].data, cert_list[0].size))
		{
			m_pOwner->LogMessage(::Error, _("Primary connection and data connection certificates don't match."));
			Failure(0, ECONNABORTED);
			return FZ_REPLY_ERROR;
		}*/

		TrustCurrentCert(true);

		if (m_tlsState != conn)
			return FZ_REPLY_ERROR;
		return FZ_REPLY_OK;
	}
Removes certificate comparision check.

---OR---

Code: Select all

{
		if (m_implicitTrustedCert.size != cert_list[0].size ||
			memcmp(m_implicitTrustedCert.data, cert_list[0].data, cert_list[0].size))
		{
			m_pOwner->LogMessage(::Error, _("Primary connection and data connection certificates don't match."));
			/*Failure(0, ECONNABORTED);
			return FZ_REPLY_ERROR;*/
		}

		TrustCurrentCert(true);

		if (m_tlsState != conn)
			return FZ_REPLY_ERROR;
		return FZ_REPLY_OK;
	}
Leaves notification in log of non-matching certs but shouldn't crap out connection.

Then compile the altered source code..

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: getting error: Primary connection and data connection certif

#9 Post by botg » 2009-08-18 14:26

That's quite some security vulnerability if you disable it.

Post Reply