IIS 7.5 FTPeS: unexpected TLS packet length: Varies by cert
Posted: 2011-11-28 20:07
Hello,
We are having a strange issue where some of our users connecting to IIS 7.5 FTP with Explicit TLS are receiving the dreaded "GnuTLS error -9: A TLS packet with unexpected length was received. / Server did not properly shut down TLS connection" error message. This only happens using the FileZilla Client -- all other FTP clients we have tested work.
I have already read through all of the existing threads on the forum relating to this issue, but we are seeing something unique: On the same server, same instance of IIS, the TLS negotiation succeeds with some SSL certificates but fails for others. I have also eliminated the other common trouble shooting tasks: a) symptoms occur from remote clients AND while testing on localhost, therefore, it is not a firewall issue. b) certificate are properly installed
For example (go ahead and test these using anonymous authentication):
173.165.230.67:21 uses *.pc-one.net issued by an internal/private CA. TLS negotiation succeeds.
173.165.230.68:21 uses *.pc-one.net issued by DigiCert (US). TLS negotiation fails.
As I said, both of these FTP sites are on the same server. If I switch the SSL certificate bindings between the two sites, the same results are obtained based on which certificate is bound.
Notable difference between the certs:
- Internal cert has no intermediate CAs with signature algorithm: sha512RSA
- External cert has 2 intermediate CAs with signature algorithm: sha1RSA
Since the external cert has 2 additional certificates in the hierarchy, I am wondering if that additional size is the issue. Meaning, the data is not being broken up into packets correctly or not being reconstructed correctly?
I look forward to your help. Thank you!
Andy
We are having a strange issue where some of our users connecting to IIS 7.5 FTP with Explicit TLS are receiving the dreaded "GnuTLS error -9: A TLS packet with unexpected length was received. / Server did not properly shut down TLS connection" error message. This only happens using the FileZilla Client -- all other FTP clients we have tested work.
I have already read through all of the existing threads on the forum relating to this issue, but we are seeing something unique: On the same server, same instance of IIS, the TLS negotiation succeeds with some SSL certificates but fails for others. I have also eliminated the other common trouble shooting tasks: a) symptoms occur from remote clients AND while testing on localhost, therefore, it is not a firewall issue. b) certificate are properly installed
For example (go ahead and test these using anonymous authentication):
173.165.230.67:21 uses *.pc-one.net issued by an internal/private CA. TLS negotiation succeeds.
173.165.230.68:21 uses *.pc-one.net issued by DigiCert (US). TLS negotiation fails.
As I said, both of these FTP sites are on the same server. If I switch the SSL certificate bindings between the two sites, the same results are obtained based on which certificate is bound.
Notable difference between the certs:
- Internal cert has no intermediate CAs with signature algorithm: sha512RSA
- External cert has 2 intermediate CAs with signature algorithm: sha1RSA
Since the external cert has 2 additional certificates in the hierarchy, I am wondering if that additional size is the issue. Meaning, the data is not being broken up into packets correctly or not being reconstructed correctly?
I look forward to your help. Thank you!
Andy