FileZilla Forums

Hi,
I could really use some help, I'm trying to set up Filezilla 1.2.0, and I have some trouble setting the server to be TLS encrypted.
I tested with plain FTP on port 21 and it was working. Then I added my certificate and I tried with the settings in the picture "port 21 - Require explicit FTP over TLS".




I also tried with port 990 and implicit FTP and it’s still not working. However, it was working with port 990 and implicit FTP with the auto-signed certificate.
Futhermore, I don't know why Filezilla service is constantly turning off.

What does it say in the log if you try to use FTP over TLS?

Thanks for answering so quickly. When I try to log in on ftps://ftp.xx.com with port 990 I received "Error GnuTLS - 15:An unexpected TLS packet was received" when it's configure with Require explicit FTP over TLS because when I try on port 990 with Implicit FTP over TLS I received "Impossible to establish a connexion "

To clear up some confusion: port 990 is strictly for Implicit FTP over TLS (which is not standardized and thus not recommended). The preferred and recommended Explicit FTP over TLS connect to port 21 (by default, at least).

Not all servers support Implicit FTPS and the ones that do not have that port closed.

Thanks for the explanation. So I should configure Explicit FTP over TLS and connect to port 21, but I still received the same error : "Error GnuTLS - 15:An unexpected TLS packet was received"

What FTP client do you use?

I use FileZilla as FTP client. I did try to put on TLS options for the certificate

You have provided a key (GoDaddy2019.key) and a cert. What concerns me is that the key is named GoDaddy2019, yet the cert is valid from 2021 to 2022. The certificate and key specified must match (be from the same CSR). Could you have accidentally have selected a defunct key as "Private key file"?

No,I think they match. I only have those files.

What format is the keyfile in? In needs to be in PEM.

The keyfile was .key and I used .pem for the certificate. Should I use .pem as keyfile and .cert as certificate ?

For what I know, both must be in PEM. Note that we refer to the internal format of the file, not merely the file extension. So, no matter if the key file ends in .key, .pem, or .bupkis, its internal format must be PEM. If it's in another format, currently, like PKCS, you need to convert it.

I converted both in PEM and I still having the same issue.

Please post a log from both the client and the server showing a connection attempt.

I am having the same issue with TLS and Filezilla. I have used FileZilla in the past with vsftp without issue. But had a new computer, downloaded lastest version and it fails. I've gone through several articles with suggested fixes but they usually deal with the failure to make a TLS connection, rather than making a connection and then bailing. I tried all the suggestions in any case but they didn't help. I have tried this with both a self-signed certificate and a commercial certificate (and matching key). It makes the TLS connection but then gets this error. Have no idea what it means or why.

From the client:

Status: Connecting to (removed for post):21...
Status: Connection established, waiting for welcome message...
Response: 220 (vsFTPd 3.0.3)
Command: AUTH TLS
Response: 234 Proceed with negotiation.
Status: Initializing TLS...
Status: TLS connection established.
Command: USER fourclarks
Response: 331 Please specify the password.
Command: PASS ************
Error: GnuTLS error -15 in gnutls_record_recv: An unexpected TLS packet was received.
Error: Could not read from socket: ECONNABORTED - Connection aborted
Error: Could not connect to server

From the Server (vsftpd.log):

Tue Jan 11 21:53:42 2022 [pid 27024] CONNECT: Client "::ffff: (removed for post)"
Tue Jan 11 21:53:51 2022 [pid 27018] [fourclarks] OK LOGIN: Client "::ffff: (removed for post)"
Tue Jan 11 21:53:56 2022 [pid 27034] CONNECT: Client "::ffff: (removed for post)"
Tue Jan 11 21:53:56 2022 [pid 27033] [fourclarks] OK LOGIN: Client "::ffff: (removed for post)"

Not much to go on ....... I can make you an account on the server if you want so you can try it yourself.

Andy