FileZilla Forums

As stated on this blog, the recent Windows updates (October 2019) caused some issues for FTP clients using .NET framework (e.g. FluentFTP, ArxOne.Ftp, ...).

On the client side, the error might look like: While on FileZilla Server side, the error is: The linked post suggests that updating OpenSSL used by FZS would solve the issue but I haven't been able to do that by myself.

Uninstalling the Windows update is unfortunately not an option.

Updating to OpenSSL 1.1 isn't possible due to an incompatible API.

Please wait for the FileZilla Server rewrite which will be using GnuTLS.

I ended up setting up Windows Server FTP /IIS feature
it is not as easy to setup but worked for me in the end

Should this be logged on the bug tracker? I couldn't find a reference to it, having tried various search filters.

I also couldn't find anything tracking a rewrite; but maybe that sort of change is tracked elsewhere... Is there a rough ETA for when the new version would be available? I'm guessing it's going to be months or more rather than days or less...

Thank-you in advance.

Unless someone has a workaround, then It seems that with this bug I can't securely connect to a FileZilla server from .NET anymore. That's a deal breaker for me.

Good evening everybody!
I actually registered because of this specific problem, because i learned to rely on FileZillaServer quietly ticking in the background doing its job.
I actually molested to other software forums about their "broken" software before even asuming the problem could be the server.
As it turns out this seems to be the case though.
Nonetheless do I have two questions:

botg wrote: ↑

2019-10-18 16:31

Please wait for the FileZilla Server rewrite which will be using GnuTLS.

I know this is terribly unpolite, but do we have even any ETA on that? Are we taking days, weeks, months or years?
I know that this is nothing I can demand, but as said, I learned to rely on it, and while I quickly could move things over to sftp, the performance is just abominable.

Second:
Why does it only affect certain clients?
For example the FileZilla client maneuvers it just fine. As well as the TotalCommander Android App.
The TotalCommander 64Bit Win Version or my backup-software Duplicati crap out completely.

Every article I have found on the Windows Update said that it affects the server, and the server "forces" TLS resumption.
So how comes that some clients still work?

As I understand it, the problem is only with clients relying on the .NET framework in some way (depends on the language it was coded in). FileZilla does not use .NET and is unaffected.

Incompatibility of .NET implementation vs. OpenSSL-based FTP server software. And yes, TLS session resumption is forced by default, as security feature. Can be disabled in the settings, lowers security but might restore operation, as a stop gap measure.

Ahh,
so it was a windows update that broke our app. I was wondering why all of a sudden we got error messages all over the place.. I also registered just for that topic but posted here: viewtopic.php?t=36903
Any idea when the FileZilla rewrite will come out? I can live with the disabled "force session resumption" feature for a while but if changes to our app are necessary, I'd rather know now and have a dev take a look at it...
All the best,

Moritz

It would be best fixing the App, as the rewrite is in very early stages, only. Additionally, you never know what surprises other FTP servers in the wild may provide.

Ahh,
so it was a windows update that broke our app.

Welcome to the clusterfuck known as WaaS. Better get used to it, will happen all the time, from now on.

I am stalking the FileZilla website and forum as well ever since.
The whole Situation is kind of frustrating.

So I ask again if there is any kind of timeline either on a fix for the current version or the rewrite?
If not, is there a newsletter somewhere so that would get the word as fast as possible?

botg wrote: ↑

2019-10-18 16:31

Updating to OpenSSL 1.1 isn't possible due to an incompatible API.

Please wait for the FileZilla Server rewrite which will be using GnuTLS.

This is affecting us as well and impacting security.

Any ideas when we might expect the FileZilla Server rewrite which will be using GnuTLS?

Any update here?

When it's done. 2020 sounds like a good year.

In the meantime, do the developers have any recommendations on the security side of things?
Deactivate the TLS Resumption, disregard all clients that encounter the error, or uninstall KB4517389?

Security-wise? Don't disable session resumption and only use compatible clients, until this is fixed by MS or OpenSSL.