TLS error at GoDaddy with version 3.56.2

[tksharpless]

Updated to latest version and now login to several accounts on GoDaddy fails when any option to use TLS is set.
The GoDaddy site is on the old Linux hosting platform that they tell me has not changed in years.
Log:

Status: Resolving address of paniniperspective.com
Status: Connecting to 184.168.190.50:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Error: GnuTLS error -8: A packet with illegal or unsupported version was received.
Status: Connection attempt failed with "ECONNABORTED - Connection aborted".
Error: Could not connect to server
Status: Waiting to retry...
Status: Resolving address of paniniperspective.com
Status: Connecting to 184.168.190.50:21...
Status: Connection established, waiting for welcome message...
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response: 220-You are user number 5 of 500 allowed.
Response: 220-Local time is now 06:31. Server port: 21.
Response: 220-This is a private system - No anonymous login
Response: 220 You will be disconnected after 3 minutes of inactivity.
Command: AUTH TLS
Response: 234 AUTH TLS OK.
Status: Initializing TLS...
Error: GnuTLS error -8: A packet with illegal or unsupported version was received.
Status: Connection attempt failed with "ECONNABORTED - Connection aborted".
Error: Could not connect to server

[boco]

Means that old server does not support TLS 1.2 or higher, which is now the configured minimum. TLS 1.2 is a decade old, so, shame on them.

As a temporary workaround, you might need to set the minimum allowed TLS version in the FileZilla settings to TLS 1.1 or even 1.0. Be aware that support for TLS 1.0 and 1.1 will be removed, eventually.

[tksharpless]

ftptest.net is able to make this TLS connection (log below) So just maybe there is a bug in FileZilla's Gnu TLS??

Status: Resolving address of paniniperspective.com

Status: Connecting to 184.168.190.50

Warning: The entered address does not resolve to an IPv6 address.

Status: Connected, waiting for welcome message...

Reply: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------

Reply: 220-You are user number 1 of 500 allowed.

Reply: 220-Local time is now 14:24. Server port: 21.

Reply: 220-This is a private system - No anonymous login

Reply: 220 You will be disconnected after 3 minutes of inactivity.

Command: CLNT https://ftptest.net on behalf of 2601:4a:c081:9761

Reply: 530 You aren't logged in

Command: AUTH TLS

Reply: 234 AUTH TLS OK.

Status: Performing TLS handshake...

Status: TLS handshake successful, verifying certificate...

Status: Received 1 certificates from server.

Status: cert[0]: subject='C=US,ST=Arizona,L=Scottsdale,O=GoDaddy Software Inc.,OU=Hosting,CN=p3nlhftpg67.shr.prod.phx3.secureserver.net' issuer='C=US,ST=Arizona,L=Scottsdale,O=GoDaddy Software Inc.,OU=Hosting,CN=p3nlhftpg67.shr.prod.phx3.secureserver.net'

Command: USER sgerecke

Reply: 331 User sgerecke OK. Password required

Command: PASS ********

Reply: 230 OK. Current restricted directory is /

Command: SYST

Reply: 215 UNIX Type: L8

Command: FEAT

Reply: 211-Extensions supported:

Reply: EPRT

Reply: IDLE

Reply: MDTM

Reply: SIZE

Reply: MFMT

Reply: REST STREAM

Reply: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;

Reply: MLSD

Reply: AUTH TLS

Reply: PBSZ

Reply: PROT

Reply: UTF8

Reply: TVFS

Reply: ESTA

Reply: PASV

Reply: EPSV

Reply: SPSV

Reply: ESTP

Reply: 211 End.

Command: PBSZ 0

Reply: 200 PBSZ=0

Command: PROT P

Reply: 200 Data protection level set to "private"

Command: PWD

Reply: 257 "/" is your current location

Status: Current path is /

Command: TYPE I

Reply: 200 TYPE is now 8-bit binary

Command: PASV

Reply: 227 Entering Passive Mode (184,168,190,50,198,5)

Command: MLSD

Status: Data connection established, performing TLS handshake...

Reply: 150 Accepted data connection

Status: TLS handshake successful, verifying certificate...

Status: Received 1 certificates from server.

Status: cert[0]: subject='C=US,ST=Arizona,L=Scottsdale,O=GoDaddy Software Inc.,OU=Hosting,CN=p3nlhftpg67.shr.prod.phx3.secureserver.net' issuer='C=US,ST=Arizona,L=Scottsdale,O=GoDaddy Software Inc.,OU=Hosting,CN=p3nlhftpg67.shr.prod.phx3.secureserver.net'

Status: TLS session of transfer connection has been resumed.

Reply: 226-Options: -a -l

Reply: 226 3 matches total

Listing: type=cdir;sizd=4096;modify=20211104171453;UNIX.mode=0705;UNIX.uid=8050812;UNIX.gid=100450;unique=17g5928057; .

Listing: type=pdir;sizd=4096;modify=20211104171453;UNIX.mode=0705;UNIX.uid=8050812;UNIX.gid=100450;unique=17g5928057; ..

Listing: type=dir;sizd=4096;modify=20211104173432;UNIX.mode=0705;UNIX.uid=8050812;UNIX.gid=100450;unique=17g5928058; boat-test

Status: Success

[tksharpless]

https://www.cdn77.com/tls-test/ reports that TLS 1.2 is enabled on paniniperspective.com (and also 1.1).
So it looks to me as if there could be a bug in this FileZilla release.

[tksharpless]

Guess what I found in filezilla.xml?

<Setting name="Minimum TLS Version">2</Setting>

Shouldn't that be 1.2 ?

[tksharpless]

And guess what happens when I change that to "1.2" and run FileZilla?
It gets changed back to "2"!

Somebody please tell me how to fix this setting.

[oibaf]

As discussed already in the ticket you opened o trac, the web service you've used to test which TLS versions are supported by the ftp server you're trying to connect to is actually testing the http server which sits behind the same domain name as the ftp server. In addition, the "ftptest" website you've also used to check whether anybody can connect to the ftp server is certainly not using TLS 1.2.

Finally, there's nothing wrong with the setting in the xml file: that number is an index which gets translated internally to the proper TLS version, and "2" corresponds to the TLS 1.2.

As you've been told already, the ftp server you're connecting to doesn't support TLS 1.2. My tests here suggest that it actually only supports TLS 1.0, and the certificate it uses doesn't match the domain name, so it shouldn't be trusted.

FileZilla Client still allows you to connect to such a server, though, you just need to change the proper setting:

TLS version settings

Schermata del 2021-11-07 12-09-41.png (30.96 KiB) Viewed 1825 times