Can't connect with TLS/SSL in version 3.1.0

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
whale
500 Syntax error
Posts: 16
Joined: 2008-07-24 03:22
First name: Franklin
Last name: Tse

Re: Can't connect with TLS/SSL in version 3.1.0

#31 Post by whale » 2008-07-27 10:40

botg wrote:Actually PROT C is even the initial default, so FZ has to fall back.

But that's not the problem in this case. Please configure the server and all attached routers and firewalls as described in the Network Configuration guide.
Would you explain the issue further? Why does the GnuTLS error occur when the FileZilla server closes the connection?

dmill
500 Command not understood
Posts: 4
Joined: 2008-07-25 02:52
First name: Dave
Last name: Miller

Re: Can't connect with TLS/SSL in version 3.1.0

#32 Post by dmill » 2008-07-28 15:50

Is anyone aware of a 'nix FTP server to which FZ 3.1 will connect?

rayvd
504 Command not implemented
Posts: 11
Joined: 2008-07-29 20:13
First name: Ray
Last name: Van Dolson

Re: Can't connect with TLS/SSL in version 3.1.0

#33 Post by rayvd » 2008-07-29 21:08

Developers might be interested in this thread. It would be nice to get some cross-developer discussion going to avoid this not getting fixed if it should. :-)

User avatar
botg
Site Admin
Posts: 32272
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Can't connect with TLS/SSL in version 3.1.0

#34 Post by botg » 2008-07-29 22:24

vsftpd 3.0.7 will perform proper SSL/TLS shutdowns. Should be released soon.

cakruege
504 Command not implemented
Posts: 6
Joined: 2008-07-23 21:29

Re: Can't connect with TLS/SSL in version 3.1.0

#35 Post by cakruege » 2008-07-30 11:37

Please add an option to ignore this error, the rfc is capable of being misunderstood. It last years until this problem is fixed in all SSL capable FTP Servers.
The problem is not that critical that an option to ignore it would be to harmfull, if the user knows the impact. (default like now, but option to ignore)

The only other alternative for users of ftpservers maintained be third party is to change the FTP-Client.

User avatar
botg
Site Admin
Posts: 32272
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Can't connect with TLS/SSL in version 3.1.0

#36 Post by botg » 2008-07-30 12:35

If you don't force people to upgrade to a proper server, they never will.

cakruege
504 Command not implemented
Posts: 6
Joined: 2008-07-23 21:29

Re: Can't connect with TLS/SSL in version 3.1.0

#37 Post by cakruege » 2008-07-30 13:44

Neither I can force server admins, nor you can.
Filezilla is only 1 of hundreds of ftp clients.

But I can't use filezilla anymore

rayvd
504 Command not implemented
Posts: 11
Joined: 2008-07-29 20:13
First name: Ray
Last name: Van Dolson

Re: Can't connect with TLS/SSL in version 3.1.0

#38 Post by rayvd » 2008-07-30 14:13

Yes, I think you developers need to take an active role petitioning server vendors (especially the OSS ones). Users pestering them with only a partial understanding of the techincal reasons only goes so far.

The reality as mentioned already is that we can no longer recommend the latest versions of FileZilla to clients connecting to our FTP site. Any other course of action is rather unrealistic... :-)

I have some basic understanding now of the technical issues, so I'm going to open a ProFTPd bug for this, but it would be extremely helpful if a developer here would monitor and contribute to the discussion there if they're truly interested in seeing this type of change propagated. What I've gleaned so far out of mailing list discussions is that the passive vs active SSL shutdown thing is still not as clearly defined as it should be with a passive shutdown indicated some places in the RFC but not in others.

I'll post back with the bz id# later.

huggy59
500 Command not understood
Posts: 1
Joined: 2008-07-30 14:52
First name: Gordon
Last name: Cunningham

Re: Can't connect with TLS/SSL in version 3.1.0

#39 Post by huggy59 » 2008-07-30 15:02

While I agree that security issues such as these must be moved forward and supported, there is - in fact, there must be - room for overlap. We deal with some State and Federal government systems using explicit SSL - some on mainframes and minis - and given the nature of many entrenched legacy systems that are no longer under development at these levels, they are not likely to change any time soon.

May I suggest that until the rest of the world falls into line with upgraded server software that at least earlier versions of the Filezilla client be made available for download on your sites? If not, you are effectively saying, "You may not use Filezilla any more." Please make room for the overlap.

rayvd
504 Command not implemented
Posts: 11
Joined: 2008-07-29 20:13
First name: Ray
Last name: Van Dolson

Re: Can't connect with TLS/SSL in version 3.1.0

#40 Post by rayvd » 2008-07-30 15:09

The older clients are available for download on the Sourceforge download page. I am recommending 3.0.11.1 to users currently that require TLS/SSL.

3.0.11.1 here.

User avatar
boco
Contributor
Posts: 24606
Joined: 2006-05-01 03:28
Location: Germany

Re: Can't connect with TLS/SSL in version 3.1.0

#41 Post by boco » 2008-07-30 15:18

Please note that 3.0.11.1 is already in my sticky, as it's by coincidence also the last working Windows 2000 version. I just hope that Sourceforge links will not become invalid anytime soon...
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

rayvd
504 Command not implemented
Posts: 11
Joined: 2008-07-29 20:13
First name: Ray
Last name: Van Dolson

Re: Can't connect with TLS/SSL in version 3.1.0

#42 Post by rayvd » 2008-07-30 15:38

ProFTPd bug opened. Jump on the CC or add your two cents to the discussion (especially if you're a developer).

rayvd
504 Command not implemented
Posts: 11
Joined: 2008-07-29 20:13
First name: Ray
Last name: Van Dolson

Re: Can't connect with TLS/SSL in version 3.1.0

#43 Post by rayvd » 2008-07-30 16:48

FYI, fix for ProFTPd has been committed to CVS. Also, since I (and perhaps others) use RHEL for this, built an RPM against the EPEL version (1.3.1) that includes this patch. You can snag it here or watch the RH bugzilla here.

maybewecan
500 Command not understood
Posts: 1
Joined: 2008-07-30 19:22
First name: Jeremy
Last name: Stevens

Re: Can't connect with TLS/SSL in version 3.1.0

#44 Post by maybewecan » 2008-07-30 19:26

I am having the same issues as all the users on this forum. I sent in an email to my support representative for Xlight FTP server and they sent me back the following reply:

"Hi,

That's not the case. SSL/TSL shutdown happens only when closing SSL/TLS
connection, not at the stage of connection setup.

Since your user can not connect, Filezilla must break something in their
code for SSL negotiation. Xlight FTP uses Microsoft CryptoAPI come with
Windows OS, SSL negotiation is handled by CryptoAPI also. That means
Filezilla breaks its compatibility with FTP Server using CryptoAPI,
including Microsoft IIS7 FTP."


Seems that there are some signals being mixed to me. Can somone tell me how I need to proceed as this is now a major issue for our company.

Thank you.

Cheers!

User avatar
botg
Site Admin
Posts: 32272
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Can't connect with TLS/SSL in version 3.1.0

#45 Post by botg » 2008-07-30 20:11

Tell them their server does not send the TLS closure alert as required by RFC 4346 section 7.2.1 upon closing the data connection.

Post Reply