FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error
Moderator: Project members
-
- 500 Command not understood
- Posts: 5
- Joined: 2019-05-17 15:45
- First name: Mike
- Last name: O'Rourke
FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error
I just upgraded from 3.41.1 to 3.42.1 and previously working connections are now failing with this error:
11:50:16 Error: Certificate of connection does not match expected certificate.
11:50:16 Error: The data connection could not be established: ECONNABORTED - Connection aborted
Turning debug logs on, I see:
...
11:53:11 Trace: TLS Handshake successful
11:53:11 Trace: Protocol: TLS1.2, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD
11:53:12 Error: Certificate of connection does not match expected certificate.
11:53:12 Trace: CTlsSocketImpl::Failure(0)
11:53:12 Trace: CTlsSocketImpl::OnRead()
11:53:12 Error: The data connection could not be established: ECONNABORTED - Connection aborted
11:53:12 Trace: CTransferSocket::TransferEnd(3)
11:53:12 Trace: CFtpControlSocket::OnReceive()
11:53:12 Response: 226 Closing data connection, sent 3041 bytes
...
the same connection from 3.41.1 works correctly and shows:
...
11:55:42 Trace: TLS Handshake successful
11:55:42 Trace: Protocol: TLS1.2, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD
11:55:42 Status: Verifying certificate...
11:55:42 Status: TLS connection established.
11:55:42 Trace: CControlSocket::SendNextCommand()
11:55:42 Trace: CFtpLogonOpData::Send() in state 5
...
Is there something in the 3.42.1 version that has changed surrounding this, or is there some way to tell what about the certificate is no longer acceptable?
thanks,
-mike
11:50:16 Error: Certificate of connection does not match expected certificate.
11:50:16 Error: The data connection could not be established: ECONNABORTED - Connection aborted
Turning debug logs on, I see:
...
11:53:11 Trace: TLS Handshake successful
11:53:11 Trace: Protocol: TLS1.2, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD
11:53:12 Error: Certificate of connection does not match expected certificate.
11:53:12 Trace: CTlsSocketImpl::Failure(0)
11:53:12 Trace: CTlsSocketImpl::OnRead()
11:53:12 Error: The data connection could not be established: ECONNABORTED - Connection aborted
11:53:12 Trace: CTransferSocket::TransferEnd(3)
11:53:12 Trace: CFtpControlSocket::OnReceive()
11:53:12 Response: 226 Closing data connection, sent 3041 bytes
...
the same connection from 3.41.1 works correctly and shows:
...
11:55:42 Trace: TLS Handshake successful
11:55:42 Trace: Protocol: TLS1.2, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD
11:55:42 Status: Verifying certificate...
11:55:42 Status: TLS connection established.
11:55:42 Trace: CControlSocket::SendNextCommand()
11:55:42 Trace: CFtpLogonOpData::Send() in state 5
...
Is there something in the 3.42.1 version that has changed surrounding this, or is there some way to tell what about the certificate is no longer acceptable?
thanks,
-mike
Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error
Do you at some point anywhere see a message about an unsorted certificate chain?
-
- 500 Command not understood
- Posts: 5
- Joined: 2019-05-17 15:45
- First name: Mike
- Last name: O'Rourke
Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error
Nope. that message is nowhere to be seen in the entire log.
Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error
Which operating system are you using? Did you obtain binaries through https://filezilla-project.org/, a third-party distribution, or did you compile from source?
-
- 500 Command not understood
- Posts: 5
- Joined: 2019-05-17 15:45
- First name: Mike
- Last name: O'Rourke
Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error
I have replicated this on both FileZilla on my mac downloaded from https://filezilla-project.org/download.php?type=client, as well as on an Ubuntu Linux host, also downloaded via the same link.
-mike
-mike
Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error
For further analysis, would it be possible to obtain a temporary guest account on the affected server?
-
- 500 Command not understood
- Posts: 5
- Joined: 2019-05-17 15:45
- First name: Mike
- Last name: O'Rourke
Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error
Absolutely. let me set that up and I will PM you with the login details.
Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error
Thank you. I can confirm that the server indeed uses a different certificate for data connection that does not match the control connection. For FTP, matching certificates is an important security requirement to mitigate data connection stealing attacks.
The control connection certificate has the SHA256 fingerprint 76ffac5e761f9dc3c353a08244afe163c54c0335152846580ab0e8c648f3946e with the data connection certificate having fingerprint bab747e19c619b4b352ec63aec07d8f7566d475cbe98f94c8f8d843bea823cec.
Please contact your hosting provider for further assistance so that they can fix the server.
The control connection certificate has the SHA256 fingerprint 76ffac5e761f9dc3c353a08244afe163c54c0335152846580ab0e8c648f3946e with the data connection certificate having fingerprint bab747e19c619b4b352ec63aec07d8f7566d475cbe98f94c8f8d843bea823cec.
Please contact your hosting provider for further assistance so that they can fix the server.
-
- 500 Command not understood
- Posts: 5
- Joined: 2019-05-17 15:45
- First name: Mike
- Last name: O'Rourke
Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error
I never updated this to document that this is the result of the catch all setting in the S3 provider section. By adding the Wasabi Provider information, it kept this within the right domain and the certificates matched, problem solved.