FileZilla Forums

Welcome to the official discussion forums for FileZilla
https://forum.filezilla-project.org/

425 Unable to build data connection: Operation not permitted in FTPES - Error reusing SSL session from control channel

https://forum.filezilla-project.org/viewtopic.php?f=2&t=51548

Page 1 of 1

425 Unable to build data connection: Operation not permitted in FTPES - Error reusing SSL session from control channel

Posted: 2019-10-08 18:19
by iyd2019
First of all, thanks for this great tool and the development effort. I'm here to help, not criticize.

This morning, after updating the FZ client to the last version 3.45.1, I discovered that I can't retrieve directory listings against my own FTP server using explicit FTP over TLS anymore:

Code: Select all

Command:	PASV
Response: 	227 Entering Passive Mode (xx,xx,xx,xx,178,177).
Command:	MLSD
Response: 	150 Opening BINARY mode data connection for MLSD
Response: 	425 Unable to build data connection: Operation not permitted
I also tried two older versions (that I had at hand):
FZ 3.42.1 --> doesn't work either
FZ 3.35.1 --> works great!

I found this entry in the tls.log in the server:

Code: Select all

2019-10-08 20:07:39,831 mod_tls/2.6[18257]: TLS/TLS-C requested, starting TLS handshake
2019-10-08 20:07:39,961 mod_tls/2.6[18257]: TLSv1.3 renegotiation accepted, using cipher TLS_AES_256_GCM_SHA384 (256 bits)
2019-10-08 20:07:39,961 mod_tls/2.6[18257]: TLSv1.3 renegotiation accepted, using cipher TLS_AES_256_GCM_SHA384 (256 bits)
2019-10-08 20:07:39,961 mod_tls/2.6[18257]: TLSv1.3 connection accepted, using cipher TLS_AES_256_GCM_SHA384 (256 bits)
2019-10-08 20:07:40,212 mod_tls/2.6[18257]: Protection set to Private
2019-10-08 20:07:40,524 mod_tls/2.6[18257]: starting TLS negotiation on data connection
2019-10-08 20:07:40,592 mod_tls/2.6[18257]: TLSv1.3 renegotiation accepted, using cipher TLS_AES_256_GCM_SHA384 (256 bits)
2019-10-08 20:07:40,592 mod_tls/2.6[18257]: client reused SSL session for data connection
2019-10-08 20:07:40,592 mod_tls/2.6[18257]: Client did not reuse SSL session from control channel, rejecting data connection (see the NoSessionReuseRequired TLSOptions parameter)
2019-10-08 20:07:40,592 mod_tls/2.6[18257]: unable to open data connection: TLS negotiation failed
I also tried ftptest.net with the same results.

If I include the "NoSessionReuseRequired" TLSOption in the server, everything works... with the unwanted (un)security side effect...

I can provide detailed logs/access if required.

Configurations:
FTP Server
--------------
ProFTPD Version 1.3.5e (fully updated)

FileZilla Client
----------------
Version: 3.42.1
Build information:
Compiled for: x86_64-apple-darwin18.5.0
Compiled on: x86_64-apple-darwin18.5.0
Build date: 2019-05-08
Compiled with: Apple LLVM version 10.0.1 (clang-1001.0.46.4)
Compiler flags: -Werror=partial-availability -Wall -g -std=c++14
Linked against:
wxWidgets: 3.0.5
SQLite: 3.26.0
GnuTLS: 3.6.7
Operating system:
Name: Mac OS X (Darwin 18.7.0 x86_64)
Version: 10.14
CPU features: sse sse2 sse3 ssse3 sse4.1 sse4.2 avx avx2 aes pclmulqdq rdrnd bmi2 bmi2 lm
Settings dir: /Users/xxx/.config/filezilla/

FileZilla Client
----------------
Version: 3.45.1
Build information:
Compiled for: x86_64-apple-darwin18.7.0
Compiled on: x86_64-apple-darwin18.7.0
Build date: 2019-09-25
Compiled with: Apple LLVM version 10.0.1 (clang-1001.0.46.4)
Compiler flags: -Werror=partial-availability -Wall -g
Linked against:
wxWidgets: 3.0.5
SQLite: 3.26.0
GnuTLS: 3.6.7
Operating system:
Name: Mac OS X (Darwin 18.7.0 x86_64)
Version: 10.14
CPU features: sse sse2 sse3 ssse3 sse4.1 sse4.2 avx avx2 aes pclmulqdq rdrnd bmi2 bmi2 lm
Settings dir: /Users/xxx/.config/filezilla/

Re: 425 Unable to build data connection: Operation not permitted in FTPES - Error reusing SSL session from control chann

Posted: 2019-10-08 21:57
by botg
This is a bug in your FTP server. Please try again with the most recent version of your FTP server.

Re: 425 Unable to build data connection: Operation not permitted in FTPES - Error reusing SSL session from control chann

Posted: 2019-10-13 21:30
by iyd2019
botg wrote:
2019-10-08 21:57
 This is a bug in your FTP server. Please try again with the most recent version of your FTP server.
The last available version of the ProFTPd daemon for my Linux server distribution is 1.3.5e, so I just donwloaded and compiled the lastest versions myself:
  • ProFTPd 1.3.6a
  • and even the ProFTPd 1.3.7rc1
and both of them fail exactly the same way. They only work if I enable the following line in my proftpd.conf file:

Code: Select all

TLSOptions    NoSessionReuseRequired
mentioned here: http://www.proftpd.org/docs/howto/TLS.html

What it is strange to me, is that and older version like FileZilla 3.35.1 works fine: what have changed since then?

Best regards

Re: 425 Unable to build data connection: Operation not permitted in FTPES - Error reusing SSL session from control chann

Posted: 2019-10-23 09:03
by boco
To my knowledge, the error occurs only with FTP over TLS v1.3. Older FileZilla clients only worked with up to TLS 1.2.

The FTP server offers TLS 1.3 because the used OpenSSL dependency enabled it. However, it is neither aware nor does it know how to handle TLS 1.3. Limit the TLS version the server offers to 1.2 and it will probably work, short-term. Long-term, proper support for TLS 1.3 has to be added.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited