Connection Problem, propably TLS Version

[Change]

Hello,

i got FTP Login data from a customer but i cant connect to it.

The IT support of the customer told us now that the ftp server is only accepting TLS version until 1.2. Is there a possibility to set the TLS Version in the client for the connection?

Maybe you can help me to connect to the Server.

Thank you very very much in advance,

Christian

Connecting error:

Status: Connecting to XXX.XXX.XXX.XXX:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Command: USER XXXUSERYXX
Error: GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Error: Could not read from socket: ECONNABORTED - Connection aborted
Error: Could not connect to server
Status: Waiting to retry...
Status: Connecting to XXX.XXX.XXX.XXX:21...
Status: Connection established, waiting for welcome message...
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response: 220-You are user number 1 of 50 allowed.
Response: 220-Local time is now 11:49. Server port: 21.
Response: 220-This is a private system - No anonymous login
Response: 220-IPv6 connections are also welcome on this server.
Response: 220 You will be disconnected after 15 minutes of inactivity.
Command: AUTH TLS
Response: 234 AUTH TLS OK.
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Command: USER XXXUSERYXX
Error: GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Error: Could not read from socket: ECONNABORTED - Connection aborted
Error: Could not connect to server

[boco]

If the server supports at least TLS 1.2, the TLS version is not the problem. I'd rather suspect a lack of proper cipher or crypto-suites support.

You need to re-do the log with verbosity level of "4 - Debug" set (Settings - Debug). This will show the handshake process in detail.

[Change]

@boco Thank you for your quick answer.

Got this on debug, would you help me do identify the causing issue from the log?

Many greets, Christian

Status: Connecting to XXX.XXX.XXX.XXX:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Command: USER XXXUSERXXX
Error: GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Error: Could not read from socket: ECONNABORTED - Connection aborted
Error: Could not connect to server
Status: Waiting to retry...
Status: Connecting to XXX.XXX.XXX.XXX:21...
Status: Connection established, waiting for welcome message...
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response: 220-You are user number 1 of 50 allowed.
Response: 220-Local time is now 11:49. Server port: 21.
Response: 220-This is a private system - No anonymous login
Response: 220-IPv6 connections are also welcome on this server.
Response: 220 You will be disconnected after 15 minutes of inactivity.
Command: AUTH TLS
Response: 234 AUTH TLS OK.
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Command: USER XXXUSERXXX
Error: GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Error: Could not read from socket: ECONNABORTED - Connection aborted
Error: Could not connect to server
Status: Disconnected from server
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Trace: CFileZillaEnginePrivate::ResetOperation(66)
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Trace: CFileZillaEnginePrivate::ResetOperation(66)
Trace: CControlSocket::DoClose(66)
Trace: CControlSocket::ResetOperation(66)
Trace: CFileZillaEnginePrivate::ResetOperation(66)
Trace: CFileZillaEnginePrivate::ResetOperation(0)
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 0
Status: Connecting to XXX.XXX.XXX.XXX:21...
Status: Connection established, waiting for welcome message...
Trace: CFtpControlSocket::OnReceive()
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response: 220-You are user number 1 of 50 allowed.
Response: 220-Local time is now 12:54. Server port: 21.
Response: 220-This is a private system - No anonymous login
Response: 220-IPv6 connections are also welcome on this server.
Response: 220 You will be disconnected after 15 minutes of inactivity.
Trace: CFtpLogonOpData::ParseResponse() in state 1
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 2
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 AUTH TLS OK.
Trace: CFtpLogonOpData::ParseResponse() in state 2
Status: Initializing TLS...
Trace: tls_layer_impl::client_handshake()
Trace: tls_layer_impl::continue_handshake()
Trace: TLS handshakep: About to send CLIENT HELLO
Trace: TLS handshakep: Sent CLIENT HELLO
Trace: tls_layer_impl::on_send()
Trace: tls_layer_impl::continue_handshake()
Trace: tls_layer_impl::on_read()
Trace: tls_layer_impl::continue_handshake()
Trace: tls_layer_impl::on_read()
Trace: tls_layer_impl::continue_handshake()
Trace: TLS handshakep: Received HELLO RETRY REQUEST
Trace: TLS handshakep: Processed HELLO RETRY REQUEST
Trace: TLS handshakep: About to send CLIENT HELLO
Trace: TLS handshakep: Sent CLIENT HELLO
Trace: tls_layer_impl::on_read()
Trace: tls_layer_impl::continue_handshake()
Trace: TLS handshakep: Received SERVER HELLO
Trace: TLS handshakep: Processed SERVER HELLO
Trace: TLS handshakep: Received ENCRYPTED EXTENSIONS
Trace: TLS handshakep: Processed ENCRYPTED EXTENSIONS
Trace: TLS handshakep: Received CERTIFICATE
Trace: TLS handshakep: Processed CERTIFICATE
Trace: tls_layer_impl::on_read()
Trace: tls_layer_impl::continue_handshake()
Trace: TLS handshakep: Received CERTIFICATE VERIFY
Trace: TLS handshakep: Processed CERTIFICATE VERIFY
Trace: TLS handshakep: Received FINISHED
Trace: TLS handshakep: Processed FINISHED
Trace: TLS handshakep: About to send FINISHED
Trace: TLS handshakep: Sent FINISHED
Trace: TLS Handshake successful
Trace: Protocol: TLS1.3, Key exchange: ECDHE-SECP256R1-RSA-PSS-RSAE-SHA256, Cipher: AES-256-GCM, MAC: AEAD
Trace: tls_layer_impl::verify_certificate()
Status: Verifying certificate...
Trace: CFtpControlSocket::SetAsyncRequestReply
Status: TLS connection established.
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 6
Command: USER XXXUSERXXX
Trace: CFtpControlSocket::OnReceive()
Trace: tls_layer_impl::failure(-110)
Error: GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Error: Could not read from socket: ECONNABORTED - Connection aborted
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Trace: CFtpLogonOpData::Reset(66) in state 6
Error: Could not connect to server
Trace: CFileZillaEnginePrivate::ResetOperation(66)
Status: Waiting to retry...
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Trace: CFileZillaEnginePrivate::ResetOperation(66)
Trace: CControlSocket::DoClose(66)
Trace: CControlSocket::ResetOperation(66)
Trace: CFileZillaEnginePrivate::ResetOperation(66)
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 0
Status: Connecting to XXX.XXX.XXX.XXX:21...
Status: Connection established, waiting for welcome message...
Trace: CFtpControlSocket::OnReceive()
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response: 220-You are user number 1 of 50 allowed.
Response: 220-Local time is now 12:54. Server port: 21.
Response: 220-This is a private system - No anonymous login
Response: 220-IPv6 connections are also welcome on this server.
Response: 220 You will be disconnected after 15 minutes of inactivity.
Trace: CFtpLogonOpData::ParseResponse() in state 1
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 2
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 AUTH TLS OK.
Trace: CFtpLogonOpData::ParseResponse() in state 2
Status: Initializing TLS...
Trace: tls_layer_impl::client_handshake()
Trace: tls_layer_impl::continue_handshake()
Trace: TLS handshakep: About to send CLIENT HELLO
Trace: TLS handshakep: Sent CLIENT HELLO
Trace: tls_layer_impl::on_send()
Trace: tls_layer_impl::continue_handshake()
Trace: tls_layer_impl::on_read()
Trace: tls_layer_impl::continue_handshake()
Trace: tls_layer_impl::on_read()
Trace: tls_layer_impl::continue_handshake()
Trace: TLS handshakep: Received HELLO RETRY REQUEST
Trace: TLS handshakep: Processed HELLO RETRY REQUEST
Trace: TLS handshakep: About to send CLIENT HELLO
Trace: TLS handshakep: Sent CLIENT HELLO
Trace: tls_layer_impl::on_read()
Trace: tls_layer_impl::continue_handshake()
Trace: TLS handshakep: Received SERVER HELLO
Trace: TLS handshakep: Processed SERVER HELLO
Trace: TLS handshakep: Received ENCRYPTED EXTENSIONS
Trace: TLS handshakep: Processed ENCRYPTED EXTENSIONS
Trace: TLS handshakep: Received CERTIFICATE
Trace: TLS handshakep: Processed CERTIFICATE
Trace: tls_layer_impl::on_read()
Trace: tls_layer_impl::continue_handshake()
Trace: TLS handshakep: Received CERTIFICATE VERIFY
Trace: TLS handshakep: Processed CERTIFICATE VERIFY
Trace: TLS handshakep: Received FINISHED
Trace: TLS handshakep: Processed FINISHED
Trace: TLS handshakep: About to send FINISHED
Trace: TLS handshakep: Sent FINISHED
Trace: TLS Handshake successful
Trace: Protocol: TLS1.3, Key exchange: ECDHE-SECP256R1-RSA-PSS-RSAE-SHA256, Cipher: AES-256-GCM, MAC: AEAD
Trace: tls_layer_impl::verify_certificate()
Status: Verifying certificate...
Trace: CFtpControlSocket::SetAsyncRequestReply
Status: TLS connection established.
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 6
Command: USER XXXUSERXXX
Trace: CFtpControlSocket::OnReceive()
Trace: tls_layer_impl::failure(-110)
Error: GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Error: Could not read from socket: ECONNABORTED - Connection aborted
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Trace: CFtpLogonOpData::Reset(66) in state 6
Error: Could not connect to server
Trace: CFileZillaEnginePrivate::ResetOperation(66)

[botg]

According to the log the server has in fact accepted TLS 1.3, contradicting the customer's IT support staff.

It is after the handshakes successful completion and after sending the USER command that the connection gets closed.

[Change]

Thanks for your answer.
So this is a server issue or am i able to connect with other settings?
And if its a server issue, does the debug trace shows the problem or does the provider needs to do more debugging?

Many Greets,

Christian

[botg]

Looks like a server issue, or firewall between client and server issue.

While the log doesn't show why the connection is closed, it shows TLS 1.3 being negotiated. At the very least that information can be shown to the server staff so that they can re-evaluate their knowledge of the server and whether it only supports TLS 1.2.

[boco]

Looks like one of those PureFTPd servers that got flipped over when OpenSSL started supporting TLS 1.3.

These server do not support TLS 1.3, but are happily announcing support for the highest version supported by OpenSSL (which worked fine until TLS 1.3 came along). Now, they announce a TLS version they can't support.

Best solution: Server admin should upgrade the FTP server software to one supporting TLS 1.3.
Temporary workaround: Server admin must configure the FTP server software so it announces only TLS 1.2.