Updated To Version 3.10.0 Now Receiving Errors

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Locked
Message
Author
User avatar
boco
Contributor
Posts: 24784
Joined: 2006-05-01 03:28
Location: Germany

Re: Updated To Version 3.10.0 Now Receiving Errors

#136 Post by boco » 2015-01-28 15:36

The setting is under the Encryption Dropdown in the Site Manager. QuickConnect can't be forced to Plain FTP.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

malbuff
500 Command not understood
Posts: 1
Joined: 2015-01-28 16:44

Re: Updated To Version 3.10.0 Now Receiving Errors

#137 Post by malbuff » 2015-01-28 16:50

boco wrote:Sorry, but that's nary a fix. A proper fix would involve configuring the server in such a way that
- either it properly supports FTP over TLS as it announces,
- or it should neither announce TLS nor support the AUTH command.
Sure, I'll tell the roomful of admins who support dozens of servers for a 50,000-employee company that they need to change their working configs in order to support an unannounced change in the latest version of freeware.

What color is the sky in your world, anyway?


David Malbuff
Senior Systems Engineer, zSpecialist
Core Technologies Division
EMC Corporation

User avatar
boco
Contributor
Posts: 24784
Joined: 2006-05-01 03:28
Location: Germany

Re: Updated To Version 3.10.0 Now Receiving Errors

#138 Post by boco » 2015-01-28 22:46

Yes, do that. Lesse if they are worth their money.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

alanbeasy
504 Command not implemented
Posts: 8
Joined: 2015-01-26 03:39
First name: Alan
Last name: Beasy

Re: Updated To Version 3.10.0 Now Receiving Errors

#139 Post by alanbeasy » 2015-01-29 06:28

Chronicler wrote:
botg wrote:FileZilla now automatically uses FTP over TLS if the server accepts it. Unfortunately there are a few badly configured servers out there. These servers need to be fixed.
I’ve reverted to 3.9.0.6 while waiting for my Web host to deal with the server. In the meantime, is there a way to get rid of the update window that pops up each time I open FileZilla?
How to stop FileZilla Automatic Update and Prompt Window
(After reverting to 3.9.0.6 - from previously kept update in your downloads folder)

1) Find the filezilla.xml in user / AppData / Roaming / Filezilla
2) Save a back up copy and put it somewhere on your desktop (in a new folder).
If you happen to mess up something, you can just put it back and start again - no worries.
2) Open the filezilla.xml file with a text editor such as WordPad.
3) Find the following line: <Setting name="Update Check">0</Setting>
If the value is not '0' change the value '0'
4) Next line: <Setting name="Update Check Interval">0</Setting>
If value is a number such as '7' change the value '0'
5) Find the following lines:
<Setting name="Update Check New Version">nightly 2015-01-24
http://filezilla-project.org/nightlies/ ... _setup.exe 6950896 sha512 828a73b9ef19ae7a6f01a244ed98c2799b4e731b78d00739bd266cfae5563a043d1c02e854f3798545903be9e3641846140c219ccfd7b8203f8273be1c504459 &#x0A;release 3.10.0.2 http://downloads.sourceforge.net/filezi ... -setup.exe 6381120 sha512 f4eba3762d669f442d175f3f16d799da33bd404538e4c9c7c1676c74cafceccfa2851b7bdc77ed9502346bf2667c43814d7af1ef86d82bd25be73e5619c3d561&#x0A;</Setting>
<Setting name="Update Check Check Beta">0</Setting>

Change "nightly" to "never" and delete everything following "never" down to the next </Setting>
<Setting name="Update Check Check Beta">0</Setting>

In other words, delete all this:

2015-01-24
http://filezilla-project.org/nightlies/ ... _setup.exe 6950896 sha512 828a73b9ef19ae7a6f01a244ed98c2799b4e731b78d00739bd266cfae5563a043d1c02e854f3798545903be9e3641846140c219ccfd7b8203f8273be1c504459 &#x0A;release 3.10.0.2 http://downloads.sourceforge.net/filezi ... -setup.exe 6381120 sha512 f4eba3762d669f442d175f3f16d799da33bd404538e4c9c7c1676c74cafceccfa2851b7bdc77ed9502346bf2667c43814d7af1ef86d82bd25be73e5619c3d561&#x0A;

6) Save the file.
7) Go to User / downloads (the default location for update files). Delete the update 3.10.0.1

Now when you open Filezilla, you will not get any update prompt windows.

User avatar
botg
Site Admin
Posts: 32472
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Updated To Version 3.10.0 Now Receiving Errors

#140 Post by botg » 2015-01-29 08:39

Sure, I'll tell the roomful of admins who support dozens of servers for a 50,000-employee company that they need to change their working configs


Yes, if that is what it takes to have the server fixed, go for it.
in order to support an unannounced change in the latest version of freeware.
Your reason is too specific. You do this in order to support each and every FTP over TLS client on this planet.

As it is right now, every client using explicit FTP over TLS on your server fails.
malbuff wrote:What color is the sky in your world, anyway?
Pink, with a hint of rainbow. I think it's going to rain unicorns again tonight. Going to be messy...

R1Lover
500 Command not understood
Posts: 2
Joined: 2015-01-12 21:53
First name: Rhett
Last name: Buck

Re: Updated To Version 3.10.0 Now Receiving Errors

#141 Post by R1Lover » 2015-01-29 23:47

Fatbat wrote:
botg wrote:
xeon wrote:I actually wouldn't be surprised at all. I know for a fact that most of the hosting companies you've listed are inept. In fact, most hosting companies in existence are inept at what they do.

You also have to take into account that most hosting companies use outdated Linux distributions like RHEL/CentOS. Very rarely does RedHat backport any meaningful bug or security fixes, they fail just as much as the hosting companies using them.
My guess is that they all use some off-the-shelf enterprise hosting platform, with a different skin to make it look like their own. Most of them probably are just resellers anyhow.
Typical pretentious programmers/IT people. You're better than everyone else. Nobody else knows what they are talking about. Everyone else is inept. Seriously, give it a rest. Rackspace has close to 6,000 employees and data centers in four countries. Liquidweb is highly resepcted and has three of its own data centers in Michigan and one in Arizona. Softlayer is owned by IBM, again with multiple data centers in Texas and elsewhere. These guys aren't some fly by night resellers that don't know what they are talking about. My Liquidweb server has been tested and works, but the Filezilla update doesn't work for me locally. Why is that?

Who thought it would be a good idea to change your default FTP protocol to something that wouldn't work on 99% of the world's servers and/or default settings that won't work for anyone out of the box locally? That would be inept.

Spot on, well said, and it looks like filezilla will no longer be the "go to" FTP program to use and recommend.

There is nothing worse than a stubborn programmer thinking "this is my opinion, therefore, I rule the world" and one that won't listen to his customers and users of the actual product.

User avatar
botg
Site Admin
Posts: 32472
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Updated To Version 3.10.0 Now Receiving Errors

#142 Post by botg » 2015-01-30 09:26

There is nothing worse than a stubborn programmer thinking "this is my opinion, therefore, I rule the world" and one that won't listen to his customers and users of the actual product.
You're confusing opinion with fact. It is fact that these servers or their firewalls aren't correctly configured for FTP over TLS. It is something that can only be fixed server-side.

Were I actually ruler of the world I would not have added the option in the site manager to force use of plaintext FTP. In my opinion having that option is a bad idea.

kaitco
500 Command not understood
Posts: 3
Joined: 2015-01-30 14:26

Re: Updated To Version 3.10.0 Now Receiving Errors

#143 Post by kaitco » 2015-01-30 15:41

boco wrote:The setting is under the Encryption Dropdown in the Site Manager. QuickConnect can't be forced to Plain FTP.
Is there any way that a future update could include an option in the general settings to allow Plain FTP throughout the application? QuickConnect is the easiest way to reach multiple sites and an all encompassing setting to force Plain FTP could help stem the flow of complaints and attempted wit in these responses.

This reminds me of how several years ago, there was a furor over the fact that the directory listing would no longer display after the server improperly timed out. The ideal solution was to change the server settings, but the best resolution for most users was to keep the current directory listing viewable until an action taken by the user reconnected to the server.

Ideally, servers that claim they accept FTP over TLS will receive the proper updates to remain secure, but users acknowledge the security risks associated with using Plain FTP by switching from the default in the Site Manager. FTP over TLS could (and should) remain the default, but an overall setting would help bridge the gap between servers over which they have no control and day-to-day use.

tiikeri
500 Command not understood
Posts: 1
Joined: 2015-02-02 11:56

Re: Updated To Version 3.10.0 Now Receiving Errors

#144 Post by tiikeri » 2015-02-02 13:49

Hello everybody,
First of all this is my first post on here, but I'm a FileZilla user from almost 12/13 years.
So I wish to thank at first FZ developers for everyday they let me forgot command line tool for connecting to a server.

As most users who write in this thread I received the Error by connecting to my sites as I used to with previous version of FileZilla. I'm not a programmer (I write HTML/CSS and very very very basic Javascript and php) but I have some experiences on the Internet, and I CARE about security.

I am paranoid. I know, I should talk with an analyst, but my paranoid world is populated by bad hackers, and I saw big and small (estimated or not) Companies with sites and server misconfigured or outdated. Sometimes it is a fortune. Maybe lots of my sites are bugged too and I don't know that.
Things change, technology goes on, I heard about HeartBleed, a young italian programmer made a tool to discover if your server is affected, check it out.

If you are missing my point (remember, don't listen to me, I'm paranoid), let me explain.

You live in an apartment, part of a great building. Let's say, like a shared hosting. Imagine that, to unlock the door, you need to digit a key that the tenant gives you (FTP) through a terminal. To make it easy, you use a smart-card (filezilla) you insert everytime you want open your door instead of digiting it in a terminal.
Lots of robbers learned how to unlock FTP, don't mind about your smartcard.
So your tenant and your smart-card producer make available to you new solution to keep you flat safe from robber, and they implement new solutions like SFTP or FTPS.

Now you can't enter the door, and the problem is if the door recognize the new implementation in the smartcard. You found that the old smart-card still work, and in case, you can set the new smartcard to use the old unsafe FTP.
You can say:
"I'm good with it, I have nothing to hide, nothing to be stolen for" and hope your clients do the same.

But if not?
ok, I'm paranoid. I read about Respected hosting company who answered "use plain FTP", which is unacceptable for me, mainly because the way of working/thinking.

Since people cited big hosting company, here is my experience with GreenGeeks (I'm not an affiliate, a worker, or reseller of them, I'm just a satisfied client since 4 years and the only reason I mention them is just because they made a good job).

Just a week ago I told them the problem, I thought it was caused by some changes they made.

They replied to me that no changes were made by their side, but I could use SFTP over port 22 with main account, and FTP port 21 for other account I created. But port 21 won't work.

I said them that something could be changed in the last recent version of FZ, maybe the way the connection is managed and I said them that I should consult the Filezilla forum. They passed the ticket to an Higher tech level and keep it open till today, recommending me to keep them updated about the issue.

I read this thread, and I contacted my hosting provider linking this topic and told them that FTP should be passed over TLS.

after 13 minutes (from 05:13:52 to 05:27:12) they come back with a solution:
"I've corrected some settings on our server.
Please test connection through port 21 now."

FIXED.

So, all those reliable hosting companies mentioned are not so good as expected. If they do not support FTP over TLS, it's ok since they let you use SFTP, but it's NOT if they use plain FTP.

Don't be upset with FileZilla if they provide more security for your business (or no-profit activity), just don't believe all the bullshits written for SEO marketing where you can read "Host X is the best" or "Host Y sucks". Trust your experience, trust old consolidated open-source projects (and why not, new ones), and keep in mind that things change, something was good before, could not be good now.

Still not convinced?
Ok. Many people here have tons of sites, I guess most of you are webdesigner like me, so what about if all major browsers introduce some rules that may conflict with your software? You will ask Firefox to go back or you will go to update your code?

Aside this, I was able to connect to some of my sites hosted on "Hosting Sostenibile" (small but very nice company) and I had no problems of sort.

with love :)

splice
500 Command not understood
Posts: 3
Joined: 2015-02-02 18:11
First name: A.
Last name: Splice

SOLVED Updated To Version 3.10.0 Now Receiving Errors

#145 Post by splice » 2015-02-02 18:39

Solved this issue server-side. Maybe someone else mentioned this but I haven't read through all 10 pages of the thread. Filezilla stating 'a few servers may be improperly configured.' Well if by 'a few' they mean 'all commerical servers running WHM/cPanel', then yes.

The problem is simply that the proper ports arent being opened and defined by the FTP server and server firewall to allow for TLS in passive mode. Here is the super simple solution, this is for servers running pure-ftp and csf firewall, as most cPanel servers do. Of course, the server admin has to be the one to fix this.

1) Open ports in /etc/pure-ftpd.conf : uncomment the line { #PassivePortRange 30000 50000 }
2) Open ports in /etc/csf/csf.conf (or whatever firewall): add 30000:50000 to the TCP_IN line
3) TLS encryption can be left on 'optional' in the 'FTP server configuration' section of WHM

that's it.

So really, it's kind of not really a Filezilla issue. Many default server configurations are allowing TLS by the FTP server (so the connection is accepted), but the required ports aren't configured, hence the connection timing out. More or less anyway.

That being said, it would be nice if Quick Connect could also be told to use plain FTP. Why only in site manager is beyond me. I think most of the general audience probably uses only Quick Connect.

User avatar
botg
Site Admin
Posts: 32472
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: SOLVED Updated To Version 3.10.0 Now Receiving Errors

#146 Post by botg » 2015-02-02 19:09

tiikeri wrote:I am paranoid. I know, I should talk with an analyst, but my paranoid world is populated by bad hackers, and I saw big and small (estimated or not) Companies with sites and server misconfigured or outdated.
Just because you're paranoid doesn't mean they aren't after you.

It is a proven fact that government funded terrorist organizations such as the NSA spy on the honest citizen and even sell some of the data to the highest bidder.


splice wrote:That being said, it would be nice if Quick Connect could also be told to use plain FTP. Why only in site manager is beyond me. I think most of the general audience probably uses only Quick Connect.
It's a move towards security by default. It shouldn't be possible to accidentally use an insecure protocol.

Ideally not even the option in the Site Manager would be needed if all servers were properly configured. I underestimated the amount of broken or badly configured servers though.

I'm particularly disappointed that some of the hosters with FTP over TLS issues are the same ones that previously had issues when FileZilla made use of MLSD by default a couple of years ago. Instead of properly configuring their firewalls back then, they just added another "may work in a select few known situations only" automatism to transparently open ports :(

splice
500 Command not understood
Posts: 3
Joined: 2015-02-02 18:11
First name: A.
Last name: Splice

Re: Updated To Version 3.10.0 Now Receiving Errors

#147 Post by splice » 2015-02-02 19:54

Ideally not even the option in the Site Manager would be needed if all servers were properly configured. I underestimated the amount of broken or badly configured servers though.
Underestimated indeed, we are talking a significant market share of all commercial web hosting companies here. The default settings with the most recent updates on WHM/cPanel are improperly configured for TLS, resulting in this problem. It's easy to say 'well everyone needs to man up and fix this', and they certainly should for security reasons, but we are talking millions and millions of hosting accounts here. This issue needs to be submitted to the cPanel/WHM and CSF staff to definitively resolve the issue, along with any other affected hosting platforms.

The reality is that many competing FTP products do not require TLS by default and Filezilla stands to lose a significant market share due to this issue. 99% of new users will try, have it not work, and immediately uninstall the software.

Here is my suggestion. Code the program to display a pop-up box when this problem is encountered that says "Unfortunately the server you are trying to connnect to is misconfigured and does not support secure FTP over TLS. Would you like to proceed as plain FTP?" With a check box to disable TLS for the current connection. That way, at least it shows you are trying, and you won't lose any business or have to keep arguing with folks in the forums.

User avatar
botg
Site Admin
Posts: 32472
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Updated To Version 3.10.0 Now Receiving Errors

#148 Post by botg » 2015-02-02 22:54

splice wrote:It's easy to say 'well everyone needs to man up and fix this
Actually it's the opposite, it's a very time-consuming and tedious task.
The reality is that many competing FTP products do not require TLS by default and Filezilla stands to lose a significant market share due to this issue.
FileZilla does not require FTP over TLS. If the server says it supports FTP over TLS, then it is used though. Were the server to reject the AUTH command, plain FTP would still be used just like in old versions.
Here is my suggestion. Code the program to display a pop-up box when this problem is encountered that says "Unfortunately the server you are trying to connnect to is misconfigured and does not support secure FTP over TLS. Would you like to proceed as plain FTP?"
I have planned such a feature, in a future version a message like this will appear if the server rejects the AUTH command.

However, for most users, the error happens at a point where the server accepts FTP over TLS and the initial handshake succeeds. From the point of view of FileZilla, it's just a connection failure. Connection failures happen all the time, even with perfectly configured servers; such is the nature of the Internet: Packets can and do get lost.

Falling back to plaintext FTP due to some connection failure after a successful handshake is a terrible idea though. Imagine a simple network outage; before you know it, your credentials are sent in clear over an untrusted connection.

Worse, an attacker could also force this: If he detects that TLS is used, he interrupts the connection and thus forces the plaintext fallback. These kind of downgrade attacks are a real problem, e.g. as with the POODLE attack.

As it is right now, the automatic fallback used by FileZilla is still vulnerable, though requires an attacker to be at least capable of modifying traffic. A more general fallback on the other hand would only require the far more simple capability of the attacker to withhold traffic. It doesn't end there though. Since loss of packets is common and happens all the time, a patient attacker would only need to passively listen to the connection, eventually a connection will fail by chance and a downgrade would be initiated.
Last edited by botg on 2015-02-02 22:57, edited 1 time in total.
Reason: Clarified wording

splice
500 Command not understood
Posts: 3
Joined: 2015-02-02 18:11
First name: A.
Last name: Splice

Re: Updated To Version 3.10.0 Now Receiving Errors

#149 Post by splice » 2015-02-02 23:14

FileZilla does not require FTP over TLS. If the server says it supports FTP over TLS, then it is used though. Were the server to reject the AUTH command, plain FTP would still be used just like in old versions.
Understood. What I should say is that many popular FTP clients dont connect using TLS by default. Nobody can fault you for wanting to improve security by defaulting this to on of course, but here is this huge problem.

So, FileZilla assumes the server is telling the truth when it accepts the auth for TLS support. But then it hits the misconfigured FTP server ports and this is seen as a simple connection failure, and so how would the program even know to ask the client if they want to fall back to plain FTP. If you could somehow have FileZilla recognize this specific problem, as opposed to a general connection failure, then the pop-up idea would make sense.

I'm just trying to brainstorm to save you the mass exodus of clients you are facing due to this issue, since most people aren't going to bother to figure it out or even contemplate trying to change anything server-side.

Another idea then would be to have a pop-up window at the time of every connection saying something like "Now connecting using FTP over TLS. If you are experiencing difficulty connecting, your server may be misconfigured. If you want to accept the security risk of plain FTP, click here to connect"..... or whatever. You just need something to let you off the hook so that the average joe FTP user can identify and circumvent the problem quickly, before he gets even slightly annoyed and quickly uninstalls the 'broken' program he just updated or downloaded. And savvy users will recognize there is a security configuration issue with the server and look into it. Like me for instance, if I hadn't run into this problem, I wouldn't ever have reconfigured the server.

paintbetty
500 Command not understood
Posts: 1
Joined: 2015-02-06 08:21
First name: Janelle

Re: Updated To Version 3.10.0 Now Receiving Errors

#150 Post by paintbetty » 2015-02-06 08:31

i upgraded to the newest version of filezilla and cannot connect to my ftp and am getting this error:

Status: Resolving address of www.paintbetty.com
Status: Connecting to 72.167.131.217:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (72,167,131,217,196,237)
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing
Status: Resolving address of ftp.paintbetty.com
Status: Connecting to 72.167.131.217:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (72,167,131,217,199,43)
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing
Status: Resolving address of ftp.paintbetty.com
Status: Connecting to 72.167.131.217:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (72,167,131,217,195,147)
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing
Status: Resolving address of paintbetty.com
Status: Connecting to 72.167.131.217:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (72,167,131,217,197,1)
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing
Status: Resolving address of paintbetty.com
Status: Connecting to 72.167.131.217:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (72,167,131,217,195,205)
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing


I use godaddy, have for over a decade and am not in a position to switch. I also until this upgrade had NO PROBLEM CONNECTING. From reading the posts here and on previous threads that have had comments locked, it seems to me that the upgrade is inflexible in its expectations on servers. While I can appreciate this for security reasons, if I am unable to use your software, I will be forced to switch to something that works.

thanks,

Locked