Can't connect to Windows Server 2012 (IIS 8) FTP when using

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
j.maletzky
504 Command not implemented
Posts: 10
Joined: 2013-05-07 08:17
First name: Joerg
Last name: Maletzky

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#91 Post by j.maletzky » 2013-05-08 00:25

@Site Admin

You
found out that the problem is with the server
?

Interesting. How did you do that?

Did you opened a case with Microsoft support or did you guess what the
root cause of the problem is?

Joerg

rossh
550 File not found
Posts: 35
Joined: 2013-03-11 09:46
First name: Ross

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#92 Post by rossh » 2013-05-11 08:27

botg wrote:I have listened to all your concerns and found out that the problem is with the server. I gave you the correct solution, which is to fix the server. What else can I do?
Oh really? I don't believe you have looked at this issue in depth at all. I think you have just decided on the (its broken) excuse, because it conveniently fits in with your anti-MS stance.

You have been offered numerous test servers to work with to locate this issue. Have you taken anyone up on the offer and truly identified the conflict?


Please do surprise me - tell us exactly which part on the handshake message or extension component, is causing the issue with TLS 1.2? Be precise - you have tested to find the issue ...right?
Don't lie - I have the answer, because I HAVE gone to the trouble of identifying exactly what makes it all fall apart.

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#93 Post by botg » 2013-05-11 09:16

I have the answer, because I HAVE gone to the trouble of identifying exactly what makes it all fall apart.
Your analysis coupled with careful study of the TLS specifications is what I base my results on.

rossh
550 File not found
Posts: 35
Joined: 2013-03-11 09:46
First name: Ross

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#94 Post by rossh » 2013-05-13 19:23

botg wrote:
I have the answer, because I HAVE gone to the trouble of identifying exactly what makes it all fall apart.
Your analysis coupled with careful study of the TLS specifications is what I base my results on.
So you have never taken anyone up on the offer to test against a real server, or to run different configs to work out which part on the GNUTLS is failing, or to watch the traffic at the packet level and sort out which part of the protocol causes the problems, etc. etc. Basically you have no interest at all in making this work properly?

Therefore you have no factual test basis to make your claim of a server defect. How interesting. And how perfect for your little anti-MS campaign hey?

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#95 Post by botg » 2013-05-13 22:08

rossh wrote:So you have never taken anyone up on the offer to test against a real server
Taken many offers but never got any credentials.
or to run different configs to work out which part on the GNUTLS is failing, or to watch the traffic at the packet level and sort out which part of the protocol causes the problems, etc. etc. Basically you have no interest at all in making this work properly?
Plenty interest, but no access to an affected server.
Therefore you have no factual test basis to make your claim of a server defect. How interesting.
You presented the ClientHello record layer version number issue as fact, why should I doubt that?
And how perfect for your little anti-MS campaign hey?
Please rephrase that. Anti-broken-server campaign it is. If it were FileZilla Server that were not following specs, I would be just as zealous (and of course I would fix the server).

gbaotic
504 Command not implemented
Posts: 10
Joined: 2012-12-04 11:30
First name: Goran
Last name: Baotic

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#96 Post by gbaotic » 2013-05-15 08:56

botg wrote:
rossh wrote:So you have never taken anyone up on the offer to test against a real server
Taken many offers but never got any credentials.
OP here. No need for a flame war guys. Has Microsoft been notified of this?
Anyway, I have just sent botg credentials for my IIS 8 FTP server, and I sincerely hope it gets fixed one way or another.

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#97 Post by botg » 2013-05-15 17:50

gbaotic wrote:Anyway, I have just sent botg credentials for my IIS 8 FTP server, and I sincerely hope it gets fixed one way or another.
Thank you, I now know why this is happening. It actually has nothing to do with the ClientHello and the used record layer version number.

The fascinating details:
  • Your server's X.509 certificate has been signed using RSA-SHA1 as signature algorithm. SHA1 has a size of 160bit. Due to the birthday paradox, SHA1 has a cryptographic strength of 80 bits if used in signatures.
  • FileZilla requests GnuTLS to only use algorithms with a cryptographic strength of at least 128 bits. This does not include the RSA-SHA1 signature algorithm since 80 is less than 128.
  • In TLS 1.1 and earlier one could not inform the server what the allowed certificate signing algorithms are, all were allowed.
  • TLS1.2 provides a mechanism, in form of an extension, to inform the server what the allowed certificate signing algorithms are.
  • Upon seeing that no suitable certificate exists, IIS closes the connection without sending an alert first. I'm not sure if this is allowed by the specification or not, it is a bit vague in that area, but it certainly is not nice by the server. The best I could find in RFC 5246 is this:
    - Some cases where a server does not agree to an extension are error
    conditions, and some are simply refusals to support particular
    features. In general, error alerts should be used for the former,
    and a field in the server extension response for the latter.
    The server certainly did not agree to the extension requesting strong signing algorithms.
  • Performing the TLS handshake succeeds if allowing RSA-SHA1 as X.509 signature algorithm.

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#98 Post by botg » 2013-05-15 18:25

I wonder what the security implications of allowing RSA-SHA1 are. At least better alternatives are available in as specified in rfc4055. I suppose I can allow the RSA-SHA1 signature algorithm again, but from a security standpoint it leaves no good feeling, SHA1 collisions will probably make the news in just a few years.

gbaotic
504 Command not implemented
Posts: 10
Joined: 2012-12-04 11:30
First name: Goran
Last name: Baotic

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#99 Post by gbaotic » 2013-05-16 07:46

botg wrote:I wonder what the security implications of allowing RSA-SHA1 are. At least better alternatives are available in as specified in rfc4055. I suppose I can allow the RSA-SHA1 signature algorithm again, but from a security standpoint it leaves no good feeling, SHA1 collisions will probably make the news in just a few years.
Thanks for the update. However, that does not explain why FileZilla connects just fine to IIS 7.5 (and lower) FTP service (Explicit FTP over TLS) using certificates with the identical RSA-SHA1 signature algorithm. I'm not that well into crypto, but all the certificates I could find around me, including the self-signed one on my FTP server, have the "sha1RSA" signature algorithm.

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#100 Post by botg » 2013-05-16 17:44

Only TLS 1.2 supports specifying which signature algorithm to use.

gbaotic
504 Command not implemented
Posts: 10
Joined: 2012-12-04 11:30
First name: Goran
Last name: Baotic

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#101 Post by gbaotic » 2013-05-16 17:57

botg wrote:Only TLS 1.2 supports specifying which signature algorithm to use.
Okay. So what's the plan in making this work?

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#102 Post by botg » 2013-05-16 19:02

I'm thinking of enabling it in the next version. Probably be out this month still.

rossh
550 File not found
Posts: 35
Joined: 2013-03-11 09:46
First name: Ross

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#103 Post by rossh » 2013-05-20 18:32

botg wrote:I'm thinking of enabling it in the next version. Probably be out this month still.

Its nice to see you looking into this...

But I think your only half way there. Did you try a file send and receive? I think you will find the old problem of 3.5.3 where the server closes the socket abruptly, because the client did not give a required / expected response at the end of the transfer. The client then deems this as a failure and deletes the file.

gbaotic
504 Command not implemented
Posts: 10
Joined: 2012-12-04 11:30
First name: Goran
Last name: Baotic

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#104 Post by gbaotic » 2013-05-20 19:17

rossh wrote:
botg wrote:I'm thinking of enabling it in the next version. Probably be out this month still.

Its nice to see you looking into this...

But I think your only half way there. Did you try a file send and receive? I think you will find the old problem of 3.5.3 where the server closes the socket abruptly, because the client did not give a required / expected response at the end of the transfer. The client then deems this as a failure and deletes the file.
Agreed. IIRC, with 3.5.3 I could establish FTPES connection normally, but file transfers did not work properly.

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#105 Post by botg » 2013-05-20 21:09

rossh wrote:The client then deems this as a failure and deletes the file.
FileZilla never deletes partial transfers.

Post Reply