FileZilla Forums

I get errors trying to connect to the site I ftp to most frequently and all the admin will tell me is to 'turn it off.' I haven't been able to figure out a way to do this....

Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Error: GnuTLS error -12: A TLS fatal alert has been received.
Error: Could not connect to server
Status: Waiting to retry...

Status: Connection established, waiting for welcome message...
Response: 220 ProFTPD 1.3.5 Server
Command: AUTH TLS
Response: 234 AUTH TLS successful
Status: Initializing TLS...
Error: GnuTLS error -12: A TLS fatal alert has been received.
Error: Could not connect to server

1. In the Site Manager entry for your server, set Encryption to 'Plain FTP'.
2. Since plain FTP is insecure, demand a fix from them.

Thanks - I haven't gotten strong impressions on their technical abilities.

Yeah, that's what we deal with right now: Lazy bum server admins. The problem is that users get burned for their laziness...

Great - they're refusing to do anything because it 'will break it for everyone else.'

In defence of server admins FileZilla was working just fine, until I was notified of an update. Now I'm also getting the same TLS error.

So as it was working perfectly prior to the update, and isn't now, that would suggest the fault is with a modification to FileZilla. So the question is, what has been modified with TLS in FileZilla that could have caused this issue?

laurareeling wrote:Great - they're refusing to do anything because it 'will break it for everyone else.'

How is fixing a server that definitely isn't working correctly breaking it for "everyone" else?

So as it was working perfectly prior to the update, and isn't now, that would suggest the fault is with a modification to FileZilla. So the question is, what has been modified with TLS in FileZilla that could have caused this issue?

Nothing has been modified with TLS. Before you simply were not using TLS at all. Now you are if the server says it supports it.

Well if anyone else comes across this issue, and runs a server or VPS with Plesk 12 and Linux (CentOS 6.5 64bit in my case), this is how you can resolve it:-


Login to your server via SSH (terminal) or using the Digital Ocean console, and enter the following command to edit the ProFTP configuration file:
Enter Insert mode by pressing the Escape key to make sure your are in Command mode, followed by pressing the A key to enter Insert mode.

Move to the bottom of the file using the cursor keys, and add the following lines of code:
Finally we need to save and exit. Do this by pressing the Escape key to enter Command mode, and then type :wq and press Enter.

Then for the changes to take effect, reboot the server using this command:

shutdown -r now

Or reboot proftpd only using the following command:

Hope that helps someone else, as it took me a little while to work out what was needed. Incidentally this solution doesn't effect non-TLS FTP connections, so won't cause issues to other users.

mattauckland wrote: TLSProtocol SSLv3
TLSRenegotiate required off

These are insecure options.

mattauckland wrote: TLSRequired off
TLSVerifyClient off

Unnecessary, as they're already off by default.

mattauckland wrote: Then for the changes to take effect, reboot the server using this command:

shutdown -r now

Completely unnecessary to reboot the entire server, or even the proftpd process for that matter. You could simply send the HUP signal to reload the configuration.

Those steps are actually part of a larger configuration in a guide I wrote, and the shutdown/restart is needed.

The other settings are taken from PROFTPD's website, part of the guide to enabling TLS. So if it is wrong, you best let them know.

SSLv3 is deprecated, FileZilla doesn't support it anymore. That is a reason for getting TLS Fatal error -12.

Session renegotiation should be enabled.

boco wrote:Session renegotiation should be enabled.

Renegotiation isn't needed. Are you confusing it with session reuse/resumption? Use of session reuse/resumption is very much desired for both security and performance reasons.

Actually the reason for the TLS Fatal error -12 was that TLS wasn't enabled in the config.

I resolved the fatal error by adding TLS to PROFTPD.

That is very poor for a server configuration. If TLS is disabled it MUST reject the AUTH commands. One to tell to the ProFTPd people, I guess.

Why are users forced to use TLS as default now?
I'm not using that unsecure site manager as passwords are stored unencrypted (!) in a plain xml/text file, easy accessible for malware and other bad guys. So why encrypt the connection at all then?!

I'm using FileZilla via cli within KeePass. The Connection type can be controlled with the "protocol" here in some way (sftp://, ftps://, ftpes://) but "ftp://" has to be plain FTP !
There has to be at least an option in the settings to control this automatic behaviour.

Changing the security settings for all ftp sites in the world is no reasonable way.

I'm now switching back to v3.9 until this gets fixed.

Thanks!