Page 1 of 1

FileZilla Client does not see/find newly updated certificate on primary connection

Posted: 2019-01-12 01:46
by FileZillaQs
I am using FileZilla Client 3.39.0 on Windows x64.

I run a website that uses IIS 10's FTP server and I have it setup to use Explicit FTP over TLS and it's worked great for the last year+. I bought the server certificate through Digicert.

The server certificate expired on 2019-01-04. I renewed the certificate at Digicert, one that is good through 2021. I then installed it on the Windows server, and updated the FTP site to use the new certificate.

However, when I try connecting with FileZilla Client, the log reports the following:

Code: Select all

Status:	Connecting to xxx.xxx.xxx.xxx:21...
Status:	Connection established, waiting for welcome message...
Status:	Initializing TLS...
But then up pops a warning saying that the certificate expired on 2019-01-04.

Image

If I click Ok, it continues, but then it says: Primary connection and data connection certificates don't match.

Here's the log following the "Initializing TLS..."

Code: Select all

Status:	Verifying certificate...
Status:	TLS connection established.
Status:	Logged in
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/" is current directory.
Command:	TYPE I
Response:	200 Type set to I.
Command:	PASV
Response:	227 Entering Passive Mode (38,101,199,155,19,46).
Command:	LIST
Response:	150 Opening BINARY mode data connection.
Error:	Primary connection and data connection certificates don't match.
Error:	Transfer connection interrupted: ECONNABORTED - Connection aborted
Response:	226 Transfer complete.
Error:	Failed to retrieve directory listing
Status:	Disconnected from server: ECONNABORTED - Connection aborted
It's like the Initializing TLS logic is somehow grabbing the OLD certificate, but once it connects, it's grabbing the NEW certificate and seeing they don't match.

If I update the IIS FTP server to use the OLD certificate and retry connecting, I get the same expired certificate warning on Initializing TLS, but then when I click Ok it connects and I can transfer files without issue (albeit, I have to confirm that the certificate is expired every transfer).

What's going on here? Is FileZilla Client caching the Initializing TLS certificate? I've tried deleting the trustedcerts.xml file, but that didn't make any difference.

There is just one setting for the FTP SSL Certificate in IIS, so I don't think it's a server-side issue.

Thanks

Re: FileZilla Client does not see/find newly updated certificate on primary connection

Posted: 2019-01-12 01:52
by FileZillaQs
FWIW, I RDPed into a computer on the other side of the US and tried connecting via FileZilla Client and got the same behavior - during Initialize TLS it gave me the warning of the expired certificate, even though the FTP site on IIS is setup to use the new one. And then when I clicked OK, it came back with the same error, "Primary connection and data connection certificates don't match."

This leads me to believe it's not related to FileZilla Client or certificate caching, since the server I RDPed into has never attempted to access this FTP site before.

Does anyone have any ideas, or has anyone experienced this issue before?

Thanks

Re: FileZilla Client does not see/find newly updated certificate on primary connection

Posted: 2019-01-12 11:00
by botg
IIS is a Microsoft product. Have you tried rebooting yet?

Re: FileZilla Client does not see/find newly updated certificate on primary connection

Posted: 2019-01-13 03:24
by FileZillaQs
Yes, I have rebooted - still exhibits the same behavior.

Re: FileZilla Client does not see/find newly updated certificate on primary connection

Posted: 2019-01-13 03:31
by FileZillaQs
Tim, can you provide any background on how FileZilla Client determines what certificate to use when making the primary connection (Initializing TLS) vs. what certificate to use when making the data connection?

My hunch is that the problem lies somewhere in that realm.

Since the issue could also be on the server-side, I've posted this question on ServerFault.com, as well - https://serverfault.com/questions/94880 ... -newly-upd

Thanks for taking the time to read this.

Re: FileZilla Client does not see/find newly updated certificate on primary connection

Posted: 2019-01-13 16:17
by botg
Which certificate is being used is determined entirely server-side. To prevent connection stealing attacks, FileZilla requires that the server selects the same certificate for both the control connection and the data connection.