Page 1 of 1

FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error

Posted: 2019-05-17 16:04
by morourke
I just upgraded from 3.41.1 to 3.42.1 and previously working connections are now failing with this error:
11:50:16 Error: Certificate of connection does not match expected certificate.
11:50:16 Error: The data connection could not be established: ECONNABORTED - Connection aborted

Turning debug logs on, I see:
...
11:53:11 Trace: TLS Handshake successful
11:53:11 Trace: Protocol: TLS1.2, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD
11:53:12 Error: Certificate of connection does not match expected certificate.
11:53:12 Trace: CTlsSocketImpl::Failure(0)
11:53:12 Trace: CTlsSocketImpl::OnRead()
11:53:12 Error: The data connection could not be established: ECONNABORTED - Connection aborted
11:53:12 Trace: CTransferSocket::TransferEnd(3)
11:53:12 Trace: CFtpControlSocket::OnReceive()
11:53:12 Response: 226 Closing data connection, sent 3041 bytes
...

the same connection from 3.41.1 works correctly and shows:
...
11:55:42 Trace: TLS Handshake successful
11:55:42 Trace: Protocol: TLS1.2, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD
11:55:42 Status: Verifying certificate...
11:55:42 Status: TLS connection established.
11:55:42 Trace: CControlSocket::SendNextCommand()
11:55:42 Trace: CFtpLogonOpData::Send() in state 5
...

Is there something in the 3.42.1 version that has changed surrounding this, or is there some way to tell what about the certificate is no longer acceptable?

thanks,
-mike

Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error

Posted: 2019-05-17 17:53
by botg
Do you at some point anywhere see a message about an unsorted certificate chain?

Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error

Posted: 2019-05-19 21:09
by morourke
Nope. that message is nowhere to be seen in the entire log.

Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error

Posted: 2019-05-20 15:54
by botg
Which operating system are you using? Did you obtain binaries through https://filezilla-project.org/, a third-party distribution, or did you compile from source?

Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error

Posted: 2019-05-21 18:57
by morourke
I have replicated this on both FileZilla on my mac downloaded from https://filezilla-project.org/download.php?type=client, as well as on an Ubuntu Linux host, also downloaded via the same link.

-mike

Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error

Posted: 2019-05-21 21:20
by botg
For further analysis, would it be possible to obtain a temporary guest account on the affected server?

Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error

Posted: 2019-05-22 20:14
by morourke
Absolutely. let me set that up and I will PM you with the login details.

Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error

Posted: 2019-05-23 08:17
by botg
Thank you. I can confirm that the server indeed uses a different certificate for data connection that does not match the control connection. For FTP, matching certificates is an important security requirement to mitigate data connection stealing attacks.

The control connection certificate has the SHA256 fingerprint 76ffac5e761f9dc3c353a08244afe163c54c0335152846580ab0e8c648f3946e with the data connection certificate having fingerprint bab747e19c619b4b352ec63aec07d8f7566d475cbe98f94c8f8d843bea823cec.

Please contact your hosting provider for further assistance so that they can fix the server.

Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error

Posted: 2019-10-17 19:27
by morourke
I never updated this to document that this is the result of the catch all setting in the S3 provider section. By adding the Wasabi Provider information, it kept this within the right domain and the certificates matched, problem solved.