GnuTLS error -12 when trying to connect to with Explicit TLS

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
User avatar
botg
Site Admin
Posts: 33242
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: GnuTLS error -12 when trying to connect to with Explicit

#31 Post by botg » 2012-11-15 06:58

*sigh*.

I'm starting to dislike priority strings.

Neither SECURE256 nor SECURE128 contain 3DES, but when combined the proper way they suddenly do. What trickery is that?

User avatar
botg
Site Admin
Posts: 33242
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: GnuTLS error -12 when trying to connect to with Explicit

#32 Post by botg » 2012-11-15 17:44

Definitely a bug in GnuTLS. Working on a patch as of writing this.

iNDiGLo
504 Command not implemented
Posts: 7
Joined: 2012-11-13 03:54

Re: GnuTLS error -12 when trying to connect to with Explicit

#33 Post by iNDiGLo » 2012-11-23 05:08

Yeah its fixed.

Pepdeal
500 Command not understood
Posts: 5
Joined: 2011-09-13 03:02
First name: mizanul
Last name: kabir

Re: GnuTLS error -12 when trying to connect to with Explicit

#34 Post by Pepdeal » 2012-11-26 06:39

Thanks for it.I find now it is working
Removed signature. No advertisement allowed in these forums.

leibniiz
500 Command not understood
Posts: 1
Joined: 2012-12-06 03:16
First name: anthony
Last name: b

Re: GnuTLS error -12 when trying to connect to with Explicit

#35 Post by leibniiz » 2012-12-06 03:30

cecemel wrote:
tom_uk wrote:
Just found a sloution for vsftpd, from this thread, I added ssl_ciphers=HIGH to the vsftd.conf and the latest FileZilla can now connect to the FTP server again.
Thank you for this - I was faced with this problem from one of our customers today and this was the answer.
I had the same issue as well. Fixed! Thanks!
Thanks. Worked for me too.[/quote]


Thank you very much everyone for all of your posts. Your post helped me resolve my secure ftp issue. I was on the precipice of removing vsftpd from my server out of 5 hours of sheer frustration. I had about as much as i could take from this issue. I am very dismayed by FileZilla's lack of compatibility with old server cyphers.

In order for me to get fillzilla to work with my servers vsftpd service i had to add the following my vsftpd config:

Code: Select all

ssl_ciphers=HIGH
and

Code: Select all

require_ssl_reuse=NO
The following is a snippet from my modified vsftp.conf file:

Code: Select all

#SSL secure ftp log in settings
ssl_ciphers=HIGH
require_ssl_reuse=NO
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem

User avatar
botg
Site Admin
Posts: 33242
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: GnuTLS error -12 when trying to connect to with Explicit

#36 Post by botg » 2012-12-06 07:04

require_ssl_reuse=NO is not needed.

xeon
226 Transfer OK
Posts: 128
Joined: 2009-08-19 03:18

Re: GnuTLS error -12 when trying to connect to with Explicit

#37 Post by xeon » 2012-12-06 11:21

leibniiz wrote:

Code: Select all

#SSL secure ftp log in settings
ssl_ciphers=HIGH
require_ssl_reuse=NO
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem
In addition to what botg said, you should also remove ssl_sslv2 as it's very old and vulnerable, you might as well remove ssl_sslv3 too.

jstrowe
500 Command not understood
Posts: 2
Joined: 2013-01-01 20:36
First name: jim
Last name: st

Re: GnuTLS error -12 when trying to connect to with Explicit

#38 Post by jstrowe » 2013-01-01 20:49

I can see the developer's point but see all of ours. YOU CHANGE THE CLIENT without telling us that our server cipher's need to be changed. We have hundreds of people using the filezilla client that the overwhelming "assumption" on server security getting changed instantly breaks.

The response below suggests the developer does NOT understand customers. Telling me to change my server every time Filezilla's development decides a cipher needs to be changed and AFTER I find out since the new client BREAKS my server is not change management.

Our points are legitimate. When the client drops cipher support without a change notice or explicitly telling the thousands of users you blind side thousands of end users and infuriate the server admin's who now have to do extra work just because of this decision.

AND telling us "As for anyone else you have no one but your server admin to blame if they aren't able to take 5-10 seconds out of their day to change the default cipher on their ftp servers." is such unbelievable arrogance I can't even describe it.

3.5.2 works for explicit tls, 3.5.3 worked after I changed my server cipher. I got blind sided AGAIN with 3.6.0 and 3.6.0.2 since there was no "oh you have to change this CIPHER again since we dropped support since your server is not secure enough.

You don't pay for my labor, I wish you did.


kinsei wrote:
xeon wrote: I don't see how saving cpu cycles is silly. People who say this don't seem to understand just how much is wasted by using a cipher like 3DES.

If anything needs to be done it's vsftpd's dev needing to change their default cipher to something more efficient such as AES/RC4 or perhaps even multiple ciphers this time.

As for anyone else you have no one but your server admin to blame if they aren't able to take 5-10 seconds out of their day to change the default cipher on their ftp servers.

If an admin can't even do that maybe it's time to find a new host or admin?
I never said saving CPU cycles is silly. But it is silly that you feel the need to save other people's CPU cycles by FORCING them to switch hosts. Who makes you the person who decides what should be more important for us?

Leaving it as an OPTION allows the best of both worlds. Period.

You get what you want and so does everyone else.

I am not going to pay more money to switch to another host so I can use FileZilla's latest client.

Ridiculous.

User avatar
boco
Contributor
Posts: 25334
Joined: 2006-05-01 03:28
Location: Germany

Re: GnuTLS error -12 when trying to connect to with Explicit

#39 Post by boco » 2013-01-01 22:09

Please note that the statement you quoted is not from the developer.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

User avatar
botg
Site Admin
Posts: 33242
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: GnuTLS error -12 when trying to connect to with Explicit

#40 Post by botg » 2013-01-02 08:13

When having to choose between security and performance, security should always take priority.

lovelycoser
500 Command not understood
Posts: 1
Joined: 2013-03-05 08:14
Contact:

Re: GnuTLS error -12 when trying to connect to with Explicit

#41 Post by lovelycoser » 2013-03-05 08:16

Thank you for the sharing.
We use vsftpd on a linux server. Any clients below 3.5.3 connect fine. I too am reverting back to an older version.

andreiv3103
504 Command not implemented
Posts: 6
Joined: 2013-03-20 11:38
First name: Andrei
Last name: Vida-Ratiu

Re: GnuTLS error -12 when trying to connect to with Explicit

#42 Post by andreiv3103 » 2013-03-20 11:48

Hello
I am experiencing this issue with the latest Filezilla Client (3.6.0.2) when trying to connect to my home diskstation server through FTP with explicit TLS.

Here is the dialog:


Connecting to XX.XX.XX.XX:21...
Status: Connection established, waiting for welcome message...
Response: 220 DiskStation FTP server ready.
Command: AUTH TLS
Response: 234 AUTH SSL command successful.
Status: Initializing TLS...
Trace: TLS Handshake successful
Trace: Cipher: AES-256-CBC, MAC: SHA256
Status: Verifying certificate...
Command: USER XXXXXX
Status: TLS/SSL connection established.
Trace: GnuTLS alert 20: Bad record MAC
Error: GnuTLS error -12: A TLS fatal alert has been received.
Error: Could not connect to server

I tried with WinSCP and it works. But I would prefer to use Filezilla. Is there anything I can do? Any indeas?

User avatar
boco
Contributor
Posts: 25334
Joined: 2006-05-01 03:28
Location: Germany

Re: GnuTLS error -12 when trying to connect to with Explicit

#43 Post by boco » 2013-03-20 16:02

Do you know what OS and FTP server software the target runs, and if it can be updated?
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

andreiv3103
504 Command not implemented
Posts: 6
Joined: 2013-03-20 11:38
First name: Andrei
Last name: Vida-Ratiu

Re: GnuTLS error -12 when trying to connect to with Explicit

#44 Post by andreiv3103 » 2013-03-20 19:06

The server is a DS211j. The operating system is a proprietary version of Linux that uses a web interface. The version is a DSM 4.2-3202. I don't know if I can change the configuration of the server.

It is true that I recently updated the OS to the version mentioned above. Since then the problem. As I also mentioned, with WinSCP works ok. I can connect and work with the files.

I logged on through SSH. It says: BusyBox v1.16.1 (2013-03-01 01:20:13 CST) built-in shell (ash).

User avatar
boco
Contributor
Posts: 25334
Joined: 2006-05-01 03:28
Location: Germany

Re: GnuTLS error -12 when trying to connect to with Explicit

#45 Post by boco » 2013-03-24 02:40

That's some type of Linux. In most cases the configuration can be updated/changed. The question is if it can be changed permanently.

Would be good to know the exact FTP server daemon used (vsftpd, ProFTPd, PureFTPd, etc...). Those have verbose manpages where the exact configuration can be looked up. vsftpd is already known in this thread.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Post Reply