Hello,
I'm currently facing the same issue : I used to connect successfully to my TLS enabled FTP server (pure-ftpd, version 1.0.36-3.2 running on Debian 8.10) without any issue until yesterday when I updated to FileZilla 3.56.0, running on Archlinux.
When connecting, this error is displayed :
Code: Select all
2021-10-17 11:02:48 35911 1 Statut : Résolution de l'adresse de XXXXX
2021-10-17 11:02:48 35911 1 Statut : Connexion à XXXXXXX:21...
2021-10-17 11:02:48 35911 1 Statut : Connexion établie, attente du message d'accueil...
2021-10-17 11:02:48 35911 1 Réponse : 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
2021-10-17 11:02:48 35911 1 Réponse : 220-You are user number 1 of 9 allowed.
2021-10-17 11:02:48 35911 1 Réponse : 220-Local time is now 09:02. Server port: 21.
2021-10-17 11:02:48 35911 1 Réponse : 220-This is a private system - No anonymous login
2021-10-17 11:02:48 35911 1 Réponse : 220 You will be disconnected after 15 minutes of inactivity.
2021-10-17 11:02:48 35911 1 Commande : AUTH TLS
2021-10-17 11:02:48 35911 1 Réponse : 234 AUTH TLS OK.
2021-10-17 11:02:48 35911 1 Statut : Initialisation de TLS...
2021-10-17 11:02:48 35911 1 Erreur : Failed to extract certificate trust path
2021-10-17 11:02:48 35911 1 Statut : Échec de la tentative de connexion avec "ECONNABORTED - Connexion annulée".
2021-10-17 11:02:48 35911 1 Erreur : Impossible d'établir une connexion au serveur
2021-10-17 11:02:48 35911 1 Statut : Attente avant nouvel essai...
2021-10-17 11:02:52 35911 1 Erreur : Tentative de connexion interrompue par l'utilisateur
I've attached the full Filezilla log, with debug mode enabled.
For the record, I've tried to downgrade the minimum required TLS version to 1.0 with no success.
The same server is working perfectly when using curl to connect (from the same computer) :
Code: Select all
[antoine@archlinux ~]$ curl -v -uXXXX:XXXX ftp://XXXXXX --ftp-ssl
* Trying XXXXX:21...
* Connected to XXXXX (XXXXXXX) port 21 (#0)
< 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
< 220-You are user number 1 of 9 allowed.
< 220-Local time is now 09:04. Server port: 21.
< 220-This is a private system - No anonymous login
< 220 You will be disconnected after 15 minutes of inactivity.
> AUTH SSL
< 500 This security scheme is not implemented
> AUTH TLS
< 234 AUTH TLS OK.
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / DHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: CN=XXXXXX
* start date: Oct 11 01:27:10 2021 GMT
* expire date: Jan 9 01:27:09 2022 GMT
* subjectAltName: host "XXXXXXXX" matched cert's "XXXXXX"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
> USER XXXXX
< 331 User XXXXX OK. Password required
> PASS XXXXX
< 230 OK. Current directory is /
> PBSZ 0
< 200 PBSZ=0
> PROT P
< 200 Data protection level set to "private"
> PWD
< 257 "/" is your current location
* Entry path is '/'
* Request has same path as previous transfer
> EPSV
* Connect data stream passively
* ftp_perform ends with SECONDARY: 0
< 229 Extended Passive mode OK (|||30002|)
* Trying XXXXXXX:30002...
* Connecting to XXXXXX (XXXXXX) port 30002
* Connected to XXXXXX (XXXXXX) port 21 (#0)
> TYPE A
< 200 TYPE is now ASCII
> LIST
< 150 Accepted data connection
* Maxdownload = -1
* Doing the SSL/TLS handshake on the data stream
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* SSL re-using session ID
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / DHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: CN=XXXXXXXX
* start date: Oct 11 01:27:10 2021 GMT
* expire date: Jan 9 01:27:09 2022 GMT
* subjectAltName: host "XXXXXXXX" matched cert's "XXXXXXX"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
drwxrwxr-x 2 991 986 4096 Mar 11 2018 XXXXXX
[...]
For information, I'm using a Let's Encrypt emitted certificate. Could this issue be related to the CA recent root expiration ? (
https://scotthelme.co.uk/lets-encrypt-o ... xpiration/).
Antoine