425 Unable to build data connection: Operation not permitted in FTPES - Error reusing SSL session from control channel

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
iyd2019
500 Command not understood
Posts: 2
Joined: 2019-10-08 17:20

425 Unable to build data connection: Operation not permitted in FTPES - Error reusing SSL session from control channel

#1 Post by iyd2019 » 2019-10-08 18:19

First of all, thanks for this great tool and the development effort. I'm here to help, not criticize.

This morning, after updating the FZ client to the last version 3.45.1, I discovered that I can't retrieve directory listings against my own FTP server using explicit FTP over TLS anymore:

Code: Select all

Command:	PASV
Response: 	227 Entering Passive Mode (xx,xx,xx,xx,178,177).
Command:	MLSD
Response: 	150 Opening BINARY mode data connection for MLSD
Response: 	425 Unable to build data connection: Operation not permitted
I also tried two older versions (that I had at hand):
FZ 3.42.1 --> doesn't work either
FZ 3.35.1 --> works great!

I found this entry in the tls.log in the server:

Code: Select all

2019-10-08 20:07:39,831 mod_tls/2.6[18257]: TLS/TLS-C requested, starting TLS handshake
2019-10-08 20:07:39,961 mod_tls/2.6[18257]: TLSv1.3 renegotiation accepted, using cipher TLS_AES_256_GCM_SHA384 (256 bits)
2019-10-08 20:07:39,961 mod_tls/2.6[18257]: TLSv1.3 renegotiation accepted, using cipher TLS_AES_256_GCM_SHA384 (256 bits)
2019-10-08 20:07:39,961 mod_tls/2.6[18257]: TLSv1.3 connection accepted, using cipher TLS_AES_256_GCM_SHA384 (256 bits)
2019-10-08 20:07:40,212 mod_tls/2.6[18257]: Protection set to Private
2019-10-08 20:07:40,524 mod_tls/2.6[18257]: starting TLS negotiation on data connection
2019-10-08 20:07:40,592 mod_tls/2.6[18257]: TLSv1.3 renegotiation accepted, using cipher TLS_AES_256_GCM_SHA384 (256 bits)
2019-10-08 20:07:40,592 mod_tls/2.6[18257]: client reused SSL session for data connection
2019-10-08 20:07:40,592 mod_tls/2.6[18257]: Client did not reuse SSL session from control channel, rejecting data connection (see the NoSessionReuseRequired TLSOptions parameter)
2019-10-08 20:07:40,592 mod_tls/2.6[18257]: unable to open data connection: TLS negotiation failed
I also tried ftptest.net with the same results.

If I include the "NoSessionReuseRequired" TLSOption in the server, everything works... with the unwanted (un)security side effect...

I can provide detailed logs/access if required.

Configurations:
FTP Server
--------------
ProFTPD Version 1.3.5e (fully updated)

FileZilla Client
----------------
Version: 3.42.1
Build information:
Compiled for: x86_64-apple-darwin18.5.0
Compiled on: x86_64-apple-darwin18.5.0
Build date: 2019-05-08
Compiled with: Apple LLVM version 10.0.1 (clang-1001.0.46.4)
Compiler flags: -Werror=partial-availability -Wall -g -std=c++14
Linked against:
wxWidgets: 3.0.5
SQLite: 3.26.0
GnuTLS: 3.6.7
Operating system:
Name: Mac OS X (Darwin 18.7.0 x86_64)
Version: 10.14
CPU features: sse sse2 sse3 ssse3 sse4.1 sse4.2 avx avx2 aes pclmulqdq rdrnd bmi2 bmi2 lm
Settings dir: /Users/xxx/.config/filezilla/

FileZilla Client
----------------
Version: 3.45.1
Build information:
Compiled for: x86_64-apple-darwin18.7.0
Compiled on: x86_64-apple-darwin18.7.0
Build date: 2019-09-25
Compiled with: Apple LLVM version 10.0.1 (clang-1001.0.46.4)
Compiler flags: -Werror=partial-availability -Wall -g
Linked against:
wxWidgets: 3.0.5
SQLite: 3.26.0
GnuTLS: 3.6.7
Operating system:
Name: Mac OS X (Darwin 18.7.0 x86_64)
Version: 10.14
CPU features: sse sse2 sse3 ssse3 sse4.1 sse4.2 avx avx2 aes pclmulqdq rdrnd bmi2 bmi2 lm
Settings dir: /Users/xxx/.config/filezilla/

User avatar
botg
Site Admin
Posts: 32423
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: 425 Unable to build data connection: Operation not permitted in FTPES - Error reusing SSL session from control chann

#2 Post by botg » 2019-10-08 21:57

This is a bug in your FTP server. Please try again with the most recent version of your FTP server.

iyd2019
500 Command not understood
Posts: 2
Joined: 2019-10-08 17:20

Re: 425 Unable to build data connection: Operation not permitted in FTPES - Error reusing SSL session from control chann

#3 Post by iyd2019 » 2019-10-13 21:30

botg wrote:
2019-10-08 21:57
This is a bug in your FTP server. Please try again with the most recent version of your FTP server.
The last available version of the ProFTPd daemon for my Linux server distribution is 1.3.5e, so I just donwloaded and compiled the lastest versions myself:
  • ProFTPd 1.3.6a
  • and even the ProFTPd 1.3.7rc1
and both of them fail exactly the same way. They only work if I enable the following line in my proftpd.conf file:

Code: Select all

TLSOptions    NoSessionReuseRequired
mentioned here: http://www.proftpd.org/docs/howto/TLS.html

What it is strange to me, is that and older version like FileZilla 3.35.1 works fine: what have changed since then?

Best regards

User avatar
boco
Contributor
Posts: 24751
Joined: 2006-05-01 03:28
Location: Germany

Re: 425 Unable to build data connection: Operation not permitted in FTPES - Error reusing SSL session from control chann

#4 Post by boco » 2019-10-23 09:03

To my knowledge, the error occurs only with FTP over TLS v1.3. Older FileZilla clients only worked with up to TLS 1.2.

The FTP server offers TLS 1.3 because the used OpenSSL dependency enabled it. However, it is neither aware nor does it know how to handle TLS 1.3. Limit the TLS version the server offers to 1.2 and it will probably work, short-term. Long-term, proper support for TLS 1.3 has to be added.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

Post Reply