Connection failing with tls_layer_impl::failure(-8)

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
BloodBaz
504 Command not implemented
Posts: 11
Joined: 2009-01-26 11:37
First name: Chris
Last name: Walsh

Connection failing with tls_layer_impl::failure(-8)

#1 Post by BloodBaz » 2021-09-17 15:10

Hello,
I've just upgraded FileZilla server from the latest beta to v1.0.0.
But connecting to it using FTP Voyager is failing with the error "tls_layer_impl::failure(-8)" followed by "GnuTLS error -8: A packet with illegal or unsupported version was received.

The server and client are connecting using FTP over TLS (explicit) on port 21.
The server runs in PASV mode with passive ports open between 55536 and 56559.
On FileZilla Server, I'm using a self-signed certificate with min TLS version = v1.2 (FTP Voyager is happy display a warning message on first connection with an accept button to allow for untrusted certificates).

I've tried googling "tls_layer_impl::failure(-8)" but I can't see what I've got wrong.

Here is my FileZilla settings.xml:

Code: Select all

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<filezilla>
	<!--The server's locale. By default, the one defined by the appropriate environment variables is used.-->
	<locale></locale>
	<!--Logging options.-->
	<logger>
		<!--The name of the log file. If empty, the log goes to stderr.-->
		<name>C:\Program Files\FileZilla Server\Logs\filezilla-server.log</name>
		<!--The maximum number of files to be used for the log rotation. Default is 0, meaning no rotation happens.-->
		<max_amount_of_rotated_files>5</max_amount_of_rotated_files>
		<!--The maximum size each log file can reach before being closed and a new one being opened. Only meaningful if max_amount_of_rotated_files > 0.-->
		<max_file_size>20971520</max_file_size>
		<!--Which types of logs must be enabled. Defaults to logmsg::error. See <libfilezilla/logger.hpp> for the values of the various types.-->
		<enabled_types>63</enabled_types>
	</logger>
	<!--FTP Server options-->
	<server>
		<!--List of addresses and ports the FTP server will listen on.-->
		<listener>
			<address>0.0.0.0</address>
			<port>21</port>
			<tls_mode>2</tls_mode>
		</listener>
		<listener>
			<address>0.0.0.0</address>
			<port>990</port>
			<tls_mode>2</tls_mode>
		</listener>
		<listener>
			<address>::</address>
			<port>21</port>
			<tls_mode>2</tls_mode>
		</listener>
		<listener>
			<address>::</address>
			<port>990</port>
			<tls_mode>2</tls_mode>
		</listener>
		<!--The duration, in millisecond, during which a given IP is put in black list, as a brute force protection measure.-->
		<brute_force_protection_duration>300000</brute_force_protection_duration>
		<!--Number of threads to distribute sessions to.-->
		<number_of_session_threads>2</number_of_session_threads>
		<!--Session-related options.-->
		<session>
			<!--The number of login attempts that are allowed to fail, within the timeframe specified by the parameter [login_attempts_failure_tolerance_duration]. The value 0 disables this mechanism.-->
			<number_of_allowed_failed_login_attempts>0</number_of_allowed_failed_login_attempts>
			<!--The duration, in millisecond, during which the number of failed login attempts is monitored.-->
			<login_attempts_failure_tolerance_duration>0</login_attempts_failure_tolerance_duration>
			<!--Login timeout (fz::duration)-->
			<login_timeout>60000</login_timeout>
			<!--Activity timeout (fz::duration).-->
			<activity_timeout>3600000</activity_timeout>
			<!--PASV settings-->
			<pasv>
				<!--IPV4 IP or name host that overrides the local address when PASV is used. Leave empty to not perform the override-->
				<host_override>###REDACTED###</host_override>
				<!--If set to true, then the host is not overriden for local connections.-->
				<do_not_override_host_if_peer_is_local>true</do_not_override_host_if_peer_is_local>
				<!--Port range to be used for PASV connections-->
				<port_range>
					<!--Maximum value for the port range to be used for PASV connections-->
					<min>55536</min>
					<!--Maximum value for the port range to be used for PASV connections-->
					<max>56559</max>
				</port_range>
			</pasv>
			<!--TLS certificate data.-->
			<tls min_protocol_version="2" index="2">
				<!--Fingerprint of the autogenerated and selfsigned certificate.-->
				<fingerprint>74:3f:8b:e8:###REDACTED###:64:8e:00</fingerprint>
			</tls>
		</session>
	</server>
	<!--Administration options.-->
	<admin>
		<local_port>14148</local_port>
		<password index="0" />
		<tls min_protocol_version="2" index="2">
			<!--Fingerprint of the autogenerated and selfsigned certificate.-->
			<fingerprint>96:37:4e:###REDACTED###:71:ff:5b</fingerprint>
		</tls>
	</admin>
	<!--ACME (Let's Encrypt and the like) settings.-->
	<acme>
		<account_id></account_id>
		<how_to_serve_challenges index="0" />
	</acme>
</filezilla>
Here is the Server log of the failed connection:

Here is my FileZilla users.xml:

Code: Select all

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<filezilla>
	<user name="realsense">
		<mount_point tvfs_path="/rsplatformroot/DatabaseBackups" native_path="D:\ActivbaseBackups" access="0" />
		<mount_point tvfs_path="/IISLogs" native_path="D:\inetpub\logs\LogFiles" access="0" />
		<mount_point tvfs_path="/" native_path="D:\inetpub" access="1" />
		<rate_limits inbound="unlimited" outbound="unlimited" session_inbound="unlimited" session_outbound="unlimited" />
		<allowed_ips></allowed_ips>
		<disallowed_ips></disallowed_ips>
		<password index="3">
			<hash>###REDACTED###</hash>
			<salt>###REDACTED###</salt>
		</password>
	</user>
</filezilla>
Here is the FileZilla Server Log:

Code: Select all

2021-09-17T14:53:41.763Z == Setting up TLS for the FTP Server
2021-09-17T14:53:41.763Z == SHA1 certificate fingerprint: 98:7c:c0:af:f3:52:d4:8e:cf:b4:f3:e7:79:0d:e2:ad:99:98:47:80
2021-09-17T14:53:41.763Z == SHA256 certificate fingerprint: 74:3f:8b:e8:0e:81:11:01:7e:9d:49:18:08:eb:17:8d:2f:58:42:bb:9f:34:f8:08:5d:af:d6:05:42:64:8e:00
2021-09-17T14:53:41.763Z == Setting up TLS for the Administration Server
2021-09-17T14:53:41.763Z == SHA1 certificate fingerprint: d2:50:60:16:31:83:86:7e:d9:e1:8e:80:25:71:db:dd:bb:56:ac:cc
2021-09-17T14:53:41.763Z == SHA256 certificate fingerprint: 96:37:4e:98:27:52:da:1e:6e:ec:3a:1c:7c:4d:23:76:52:1a:b8:30:2b:11:2b:33:7e:c6:c1:87:d0:71:ff:5b
2021-09-17T14:53:41.779Z == [Administration Server] Listening on 127.0.0.1:14148 (tls_mode = 1).
2021-09-17T14:53:41.779Z == [FTP Server] Listening on 0.0.0.0:21 (tls_mode = 2).
2021-09-17T14:53:41.779Z == [Administration Server] Listening on ::1:14148 (tls_mode = 1).
2021-09-17T14:53:41.779Z == [FTP Server] Listening on 0.0.0.0:990 (tls_mode = 2).
2021-09-17T14:53:41.779Z == [FTP Server] Listening on :::21 (tls_mode = 2).
2021-09-17T14:53:41.779Z == [FTP Server] Listening on :::990 (tls_mode = 2).
2021-09-17T14:53:45.576Z II [Administration Server] TLS Handshake successful
2021-09-17T14:53:45.576Z II [Administration Server] Protocol: TLS1.3, Key exchange: ECDHE-SECP384R1-ECDSA-SECP256R1-SHA256, Cipher: AES-256-GCM, MAC: AEAD
2021-09-17T14:53:45.576Z == [Administration Server] Administration client with ID 1 connected from 127.0.0.1:64244.
2021-09-17T14:53:54.764Z II [FTP Session 1 51.148.132.249] Session 0x250e5770090 with ID 1 created.
2021-09-17T14:53:54.796Z >> [FTP Session 1 51.148.132.249] AUTH TLS
[b]2021-09-17T14:53:54.827Z !! [FTP Session 1 51.148.132.249] GnuTLS error -8: A packet with illegal or unsupported version was received.
2021-09-17T14:53:54.827Z !! [FTP Session 1 51.148.132.249] Control channel closed with error from source 0. Reason: ECONNABORTED - Connection aborted.[/b]
2021-09-17T14:53:54.827Z !! [FTP Server] Session ended with error from source 0. Reason: ECONNABORTED - Connection aborted.
2021-09-17T14:53:54.827Z II [FTP Session 1 51.148.132.249] Session 0x250e5770090 with ID 1 destroyed.
Here is FTP Voyager client:

Code: Select all

STATUS>	Resolving host "activbase.net"...
STATUS>	Connecting to "###REDACTED###" on port 21.
STATUS>	Connected to ###REDACTED###:21 from ###REDACTED###:63990.
	220-FileZilla Server 1.0.0
	220 Please visit https://filezilla-project.org/
COMMAND>	AUTH TLS
	234 Using authentication type TLS.
ERROR>	Could not establish a connection to ###REDACTED###.
Any pointers would be appreciated. Thanks.

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Connection failing with tls_layer_impl::failure(-8)

#2 Post by botg » 2021-09-17 16:02

A Wireshark dump would be nice.

BloodBaz
504 Command not implemented
Posts: 11
Joined: 2009-01-26 11:37
First name: Chris
Last name: Walsh

Re: Connection failing with tls_layer_impl::failure(-8)

#3 Post by BloodBaz » 2021-09-17 16:29

botg wrote:
2021-09-17 16:02
A Wireshark dump would be nice.
Which end - client or server? Server end might be tricky.

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Connection failing with tls_layer_impl::failure(-8)

#4 Post by botg » 2021-09-17 19:42

Either end is fine.

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: Connection failing with tls_layer_impl::failure(-8)

#5 Post by boco » 2021-09-17 21:05

Wasn't FTP Voyager last updated in 2014? You really want to use a 7 years old client?
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Connection failing with tls_layer_impl::failure(-8)

#6 Post by botg » 2021-09-17 22:00

TLS 1.2 came out 13 years ago [1]. A handshake failure such as this must be something more sinister.


[1] Yes, it's that old already.

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: Connection failing with tls_layer_impl::failure(-8)

#7 Post by boco » 2021-09-18 00:42

As I still have my copy of FTP Voyager, I had a play and yes, there's definitely something wrong with that client.

Unfortunately, there are no knobs in FTPV for changing TLS parameters.


Edit: Well, well. I had more play with my other FTP server (where I can allow/deny certain TLS versions), and I think we can end this here.

Result: FTP Voyager only supports up to TLS 1.0 - restricting to anything higher, even TLS 1.1, and the connection fails hard. Ugh.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

BloodBaz
504 Command not implemented
Posts: 11
Joined: 2009-01-26 11:37
First name: Chris
Last name: Walsh

Re: Connection failing with tls_layer_impl::failure(-8)

#8 Post by BloodBaz » 2021-09-22 11:03

Thanks for your feedback guys to my opening question.

Sounds like FTP Voyager is too old for supporting modern TLS versions (last updated 7 years ago, only supports TLS v1.0).
Time I invested in a new FTP Client.

Thanks
Chris

Post Reply