TLS Error on FileZilla 1.2 (solved)

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
CrimpOn
226 Transfer OK
Posts: 103
Joined: 2021-10-01 18:25
First name: D
Last name: B

TLS Error on FileZilla 1.2 (solved)

#1 Post by CrimpOn » 2022-01-18 19:32

Please excuse my ignorance. :oops:

One of my security cameras had a firmware update and now defaults to FTP over TLS rather than plain (unencrypted) FTP.
"No problem". Port 21 clearly states it supports both TLS and plain FTP.
However, the FileZilla log shows this:

Code: Select all

2022-01-18T19:18:33.781Z >> [FTP Session 171 192.168.1.52] AUTH TLS
2022-01-18T19:18:33.784Z << [FTP Session 171 192.168.1.52] 234 Using authentication type TLS.
2022-01-18T19:18:33.799Z !! [FTP Session 171 192.168.1.52] GnuTLS error -87: No supported cipher suites have been found.
2022-01-18T19:18:33.800Z !! [FTP Session 171 192.168.1.52] Control channel closed with error from source 0. Reason: ECONNABORTED - Connection aborted.
2022-01-18T19:18:33.800Z !! [FTP Server] Session 171 ended with error from source 0. Reason: ECONNABORTED - Connection aborted.
FileZilla is set to use the Self-Signed certificate that was generated automatically when version 1.2 was installed.

Can someone please point me toward the steps to correct my installation?

Thanks

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: TLS Error on FileZilla 1.2

#2 Post by botg » 2022-01-18 20:11

It appears your client doesn't support modern ciphers. Please update your client so that it supports the default ciphers mandated by TLS 1.2 and TLS 1.3.

CrimpOn
226 Transfer OK
Posts: 103
Joined: 2021-10-01 18:25
First name: D
Last name: B

Re: TLS Error on FileZilla 1.2

#3 Post by CrimpOn » 2022-01-19 00:49

Thank you for the speedy response. I had already registered a complaint with the security camera tech support over changing the default to TLS.
Now I can ding them about their "Optimized FTP function" is defective in regards to TLS.

CrimpOn
226 Transfer OK
Posts: 103
Joined: 2021-10-01 18:25
First name: D
Last name: B

Re: TLS Error on FileZilla 1.2

#4 Post by CrimpOn » 2022-01-20 19:02

The camera company suggested that I install Cerebus FTP to confirm the problem.
(anyone not happy with the FileZilla install process will not enjoy Cerebus. :lol: )

Now have FileZilla on port 21 and Cerebus on port 121. Cerebus claims to support TLS 1.2
Alas, the camera connects to Cerebus with TLS and transfers file. No errors.
(This was not what I wanted.)

Perhaps the issue is that the default FileZilla installation puts the self-signed certificate where the connection cannot find it?

I remain frustrated that the camera user interface provides a default of "plain" and instead uses TLS. :(

Sorry to be unable to figure this out myself.

CrimpOn
226 Transfer OK
Posts: 103
Joined: 2021-10-01 18:25
First name: D
Last name: B

Re: TLS Error on FileZilla 1.2

#5 Post by CrimpOn » 2022-01-20 19:43

Log from failed session:

Code: Select all

2022-01-20T19:38:51.745Z II [FTP Session 4174 192.168.1.52] Session 0x276776db040 with ID 4174 created.
2022-01-20T19:38:51.803Z >> [FTP Session 4174 192.168.1.52] AUTH TLS
2022-01-20T19:38:51.803Z DD [FTP Session 4174 192.168.1.52] securer(1) ENTERING state = 0
2022-01-20T19:38:51.803Z DD [FTP Session 4174 192.168.1.52] calling tls_layer_->set_certificate_file("C:\WINDOWS\system32\config\systemprofile\AppData\Local\filezilla-server\certificates\f9ded7fd623594f07ebc396eb718e48ec0a2e9f741f542ea4b135db88a45e588\key.pem", "C:\WINDOWS\system32\config\systemprofile\AppData\Local\filezilla-server\certificates\f9ded7fd623594f07ebc396eb718e48ec0a2e9f741f542ea4b135db88a45e588\cert.pem", "****")
2022-01-20T19:38:51.804Z DD [FTP Session 4174 192.168.1.52] securer(1) EXITING state = 1
2022-01-20T19:38:51.804Z << [FTP Session 4174 192.168.1.52] 234 Using authentication type TLS.
2022-01-20T19:38:51.804Z DD [FTP Session 4174 192.168.1.52] ~securer(1) ENTERING state = 1
2022-01-20T19:38:51.804Z DD [FTP Session 4174 192.168.1.52] calling tls_layer_->set_alpn("ftp")
2022-01-20T19:38:51.804Z VV [FTP Session 4174 192.168.1.52] tls_layer_impl::server_handshake()
2022-01-20T19:38:51.804Z VV [FTP Session 4174 192.168.1.52] tls_layer_impl::continue_handshake()
2022-01-20T19:38:51.804Z DD [FTP Session 4174 192.168.1.52] ~securer(1) EXITING state = 2
2022-01-20T19:38:51.804Z DD [FTP Session 4174 192.168.1.52] tls_layer_impl::on_send()
2022-01-20T19:38:51.804Z VV [FTP Session 4174 192.168.1.52] tls_layer_impl::continue_handshake()
2022-01-20T19:38:51.825Z DD [FTP Session 4174 192.168.1.52] tls_layer_impl::on_read()
2022-01-20T19:38:51.825Z VV [FTP Session 4174 192.168.1.52] tls_layer_impl::continue_handshake()
2022-01-20T19:38:51.825Z DD [FTP Session 4174 192.168.1.52] TLS handshakep: Received CLIENT HELLO
2022-01-20T19:38:51.825Z DD [FTP Session 4174 192.168.1.52] tls_layer_impl::failure(-87)
2022-01-20T19:38:51.825Z !! [FTP Session 4174 192.168.1.52] GnuTLS error -87: No supported cipher suites have been found.
2022-01-20T19:38:51.825Z !! [FTP Session 4174 192.168.1.52] Control channel closed with error from source 0. Reason: ECONNABORTED - Connection aborted.
2022-01-20T19:38:51.825Z !! [FTP Server] Session 4174 ended with error from source 0. Reason: ECONNABORTED - Connection aborted.
2022-01-20T19:38:51.825Z II [FTP Session 4174 192.168.1.52] Session 0x276776db040 with ID 4174 destroyed.

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: TLS Error on FileZilla 1.2

#6 Post by boco » 2022-01-20 19:44

I'm pretty sure you mean Cerberus FTP.

Sure, it claims to support FTP over TLS 1.2, but that is not the issue. The issue is that FileZilla Server REQUIRES AT LEAST FTP over TLS version 1.2 and the support of High-Encryption cipher suites. While Cerberus claims to support FTP over TLS 1.2 as well, it also probably still supports earlier versions. The camera simply negotiates the lower TLS version with the server, be it FTP over TLS 1.1, FTP over TLS 1.0 or, heaven forbid, even FTP over SSL 3.0. My bet is on TLS 1.0.

FileZilla Server will outright reject anything below TLS 1.2, and any lower-grade ciphers as well.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

CrimpOn
226 Transfer OK
Posts: 103
Joined: 2021-10-01 18:25
First name: D
Last name: B

Re: TLS Error on FileZilla 1.2

#7 Post by CrimpOn » 2022-01-21 00:54

Thanks for the prompt. I checked Cerberus security settings and found this:
Image

Only TLS 1.2 is checked. Perhaps Cerberus is allowing outdated ciphers?
It is not clear (to me) how SSL and TLS are connected in terms of ciphers. This is what Cerberus shows:
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!CAMELLIA

The Cerberus log shows: TLSv1.2 (DHE-RSA-AES256-GCM-SHA384), 256 bit encryption. Is this the part that is not accepted by FileZilla?

Code: Select all

1/20/2022 4:50:19 PM	130		Incoming connection request on FTP listener 11 at 192.168.1.2:121 accepted from 192.168.1.52:49816
1/20/2022 4:50:19 PM	130		AUTH TLS
1/20/2022 4:50:19 PM	130		234 Authentication method accepted
1/20/2022 4:50:20 PM	130		SSL connection using TLSv1.2 (DHE-RSA-AES256-GCM-SHA384), 256 bit encryption
1/20/2022 4:50:20 PM	130		SSL connection established
1/20/2022 4:50:20 PM	130		USER FrontDoorCam
1/20/2022 4:50:20 PM	130		331 User FrontDoorCam, password please
1/20/2022 4:50:20 PM	130		PASS ***********
1/20/2022 4:50:20 PM	130		Native user 'FrontDoorCam' authenticated
1/20/2022 4:50:20 PM	130		230 Password Ok, User logged in - This is an UNLICENSED copy of Cerberus FTP Server Home edition
1/20/2022 4:50:20 PM	130		CWD 2022
1/20/2022 4:50:20 PM	130		250 Change directory ok
1/20/2022 4:50:20 PM	130		CWD 01
1/20/2022 4:50:20 PM	130		250 Change directory ok
1/20/2022 4:50:21 PM	130		CWD 20
1/20/2022 4:50:21 PM	130		250 Change directory ok
1/20/2022 4:50:21 PM	130		MODE S
1/20/2022 4:50:21 PM	130		200 Mode is Stream
1/20/2022 4:50:21 PM	130		TYPE A
1/20/2022 4:50:21 PM	130		200 Type ASCII
1/20/2022 4:50:21 PM	130		PBSZ 0
1/20/2022 4:50:21 PM	130		200 PBSZ=0
1/20/2022 4:50:21 PM	130		PROT C
1/20/2022 4:50:21 PM	130		200 Clearing data channel
1/20/2022 4:50:21 PM	130		PASV
1/20/2022 4:50:21 PM	130		227 Entering Passive Mode (192,168,1,2,43,109)
1/20/2022 4:50:21 PM	130		STOR Front Door Cam_00_20220120165018.txt
1/20/2022 4:50:21 PM	130		150 Opening data connection
1/20/2022 4:50:21 PM	130		Successfully stored file at 'D:\Cerberus\2022\01\20\Front Door Cam_00_20220120165018.txt' (74 B received)
1/20/2022 4:50:21 PM	130		226 Transfer complete
1/20/2022 4:50:21 PM	130		QUIT
1/20/2022 4:50:21 PM	130		Connection terminated

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: TLS Error on FileZilla 1.2

#8 Post by boco » 2022-01-21 02:37

When I'm connected to my FileZilla Server, it is using ECDHE (Elliptic Curve) ciphers. AFAIK the simple DHE ciphers do not offer Perfect Forward Secrecy, and for that reason, FileZilla Server might not offer support for them.

However, only @botg or @oibaf can answer that thoroughly.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: TLS Error on FileZilla 1.2

#9 Post by botg » 2022-01-21 09:16

DHE does offer PFS. It is much slower though than ECDHE though, which is why if possible FileZilla negotiates ECDHE.


@CrimpOn: Could you please post a Wireshark dump of the handshake attempt between your client and FileZilla Server? That way we can see what your client attempts to negotiate.

CrimpOn
226 Transfer OK
Posts: 103
Joined: 2021-10-01 18:25
First name: D
Last name: B

Re: TLS Error on FileZilla 1.2

#10 Post by CrimpOn » 2022-01-21 19:32

Wireshark capture of the camera attempting to FTP to FileZilla is here: https://www.dropbox.com/s/pg7wy96ow3xos ... capng?dl=0
FileZilla server is 192.168.1.2 and the camera is 192.168.1.52.

I see the handshake where the camera connects to port 21 and the Server announces "ready for new client", and then the camera sends a TLSv1 message.
This puts the blame squarely on the camera. (Correct?)

I was a bit surprised that FileZilla does not appear to send any sort of rejection. The impression I get is that FileZilla simply stops communicating with the camera.
And then the camera 'times out'.
Is this correct?

I really appreciate your patience.

(Now I have to ask Cerebus to explain why the camera was able to connect with Cerebus when it was set to accept ONLY TLSv1.2 and TLSv1.3. If Cerebus had rejected the camera <as it should have>, then I would not have kept bothering you. I fear Cerebus may not be as easy to communicate with as you are.)

CrimpOn
226 Transfer OK
Posts: 103
Joined: 2021-10-01 18:25
First name: D
Last name: B

Re: TLS Error on FileZilla 1.2

#11 Post by CrimpOn » 2022-01-21 20:13

Did the same Wireshark capture with the camera FTPing to Cerebus. https://www.dropbox.com/s/0o83hmtnqsgbc ... capng?dl=0

This sure gives the impression that the camera is using TLSv1.2

My head hurts. :mrgreen:

CrimpOn
226 Transfer OK
Posts: 103
Joined: 2021-10-01 18:25
First name: D
Last name: B

Camera TLS Error

#12 Post by CrimpOn » 2022-01-24 19:30

Wireshark capture of the failed FTP session between camera and FileZilla server appears to contain a fatal coding inconsistency (or does it?)
Please see line 45 and line 50 of the expanded packet. Line 45 says TLSv1 (0x301) and Line 50 says TLSv3 (0x303) and proceeds to supply all sorts of TLS parameters.
Is this coding error enough to get FileZilla to reject the connection?

Code: Select all

1	"Frame 9: 235 bytes on wire (1880 bits), 235 bytes captured (1880 bits) on interface \Device\NPF_{F233B6E4-BE24-4723-AA85-49E87A7B1E81}, id 0"
2	"Ethernet II, Src: Front_Door_Cam (68:39:43:d7:fa:24), Dst: Dicks_HP (20:25:64:0f:ba:cd)"
3	"Internet Protocol Version 4, Src: Front_Door_Cam (192.168.1.52), Dst: Dicks_HP (192.168.1.2)"
4	"Transmission Control Protocol, Src Port: 49388, Dst Port: 21, Seq: 11, Ack: 114, Len: 181"
5	    Source Port: 49388
6	    Destination Port: 21
7	    [Stream index: 0]
8	"    [Conversation completeness: Complete, WITH_DATA (31)]"
9	    [TCP Segment Len: 181]
10	    Sequence Number: 11    (relative sequence number)
11	    Sequence Number (raw): 2474896074
12	    [Next Sequence Number: 192    (relative sequence number)]
13	    Acknowledgment Number: 114    (relative ack number)
14	    Acknowledgment number (raw): 1141086550
15	    0101 .... = Header Length: 20 bytes (5)
16	"    Flags: 0x018 (PSH, ACK)"
17	        000. .... .... = Reserved: Not set
18	        ...0 .... .... = Nonce: Not set
19	        .... 0... .... = Congestion Window Reduced (CWR): Not set
20	        .... .0.. .... = ECN-Echo: Not set
21	        .... ..0. .... = Urgent: Not set
22	        .... ...1 .... = Acknowledgment: Set
23	        .... .... 1... = Push: Set
24	        .... .... .0.. = Reset: Not set
25	        .... .... ..0. = Syn: Not set
26	        .... .... ...0 = Fin: Not set
27	        [TCP Flags: ·······AP···]
28	    Window: 4009
29	    [Calculated window size: 64144]
30	    [Window size scaling factor: 16]
31	    Checksum: 0x8ca6 [unverified]
32	    [Checksum Status: Unverified]
33	    Urgent Pointer: 0
34	    [Timestamps]
35	        [Time since first frame in this TCP stream: 0.098337000 seconds]
36	        [Time since previous frame in this TCP stream: 0.000000000 seconds]
37	    [SEQ/ACK analysis]
38	        [iRTT: 0.020591000 seconds]
39	        [Bytes in flight: 181]
40	        [Bytes sent since last PSH flag: 181]
41	    TCP payload (181 bytes)
42	Transport Layer Security
43	    TLSv1 Record Layer: Handshake Protocol: Client Hello
44	        Content Type: Handshake (22)
45	        Version: TLS 1.0 (0x0301)
46	        Length: 176
47	        Handshake Protocol: Client Hello
48	            Handshake Type: Client Hello (1)
49	            Length: 172
50	            Version: TLS 1.2 (0x0303)
51	            Random: 040492e3ecb0567a28b2107000f02e418237e7737bd1c35e67fccd950ebe382f
52	"                GMT Unix Time: Feb 19, 1972 20:36:51.000000000 Pacific Standard Time"
53	                Random Bytes: ecb0567a28b2107000f02e418237e7737bd1c35e67fccd950ebe382f
54	            Session ID Length: 0
55	            Cipher Suites Length: 96
56	            Cipher Suites (48 suites)
57	                Cipher Suite: TLS_DH_DSS_WITH_AES_256_GCM_SHA384 (0x00a5)
58	                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)
59	                Cipher Suite: TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (0x00a1)
60	                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
61	                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
62	                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
63	                Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA256 (0x0069)
64	                Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA256 (0x0068)
65	                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
66	                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
67	                Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037)
68	                Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036)
69	                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
70	                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
71	                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
72	                Cipher Suite: TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (0x00a4)
73	                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
74	                Cipher Suite: TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (0x00a0)
75	                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
76	                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
77	                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
78	                Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA256 (0x003f)
79	                Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA256 (0x003e)
80	                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
81	                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
82	                Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031)
83	                Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030)
84	                Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
85	                Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)
86	                Cipher Suite: TLS_DH_RSA_WITH_SEED_CBC_SHA (0x0098)
87	                Cipher Suite: TLS_DH_DSS_WITH_SEED_CBC_SHA (0x0097)
88	                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
89	                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
90	                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
91	                Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
92	                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
93	                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
94	                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
95	                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
96	                Cipher Suite: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010)
97	                Cipher Suite: TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d)
98	                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
99	                Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
100	                Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
101	                Cipher Suite: TLS_DH_RSA_WITH_DES_CBC_SHA (0x000f)
102	                Cipher Suite: TLS_DH_DSS_WITH_DES_CBC_SHA (0x000c)
103	                Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
104	                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
105	            Compression Methods Length: 1
106	            Compression Methods (1 method)
107	                Compression Method: null (0)
108	            Extensions Length: 35
109	            Extension: session_ticket (len=0)
110	                Type: session_ticket (35)
111	                Length: 0
112	                Data (0 bytes)
113	            Extension: signature_algorithms (len=22)
114	                Type: signature_algorithms (13)
115	                Length: 22
116	                Signature Hash Algorithms Length: 20
117	                Signature Hash Algorithms (10 algorithms)
118	                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
119	                    Signature Algorithm: SHA512 DSA (0x0602)
120	                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
121	                    Signature Algorithm: SHA384 DSA (0x0502)
122	                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
123	                    Signature Algorithm: SHA256 DSA (0x0402)
124	                    Signature Algorithm: SHA224 RSA (0x0301)
125	                    Signature Algorithm: SHA224 DSA (0x0302)
126	                    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
127	                    Signature Algorithm: SHA1 DSA (0x0202)
128	            Extension: heartbeat (len=1)
129	                Type: heartbeat (15)
130	                Length: 1
131	                Mode: Peer allowed to send requests (1)
132	"            [JA3 Fullstring: 771,165-163-161-159-107-106-105-104-57-56-55-54-157-61-53-164-162-160-158-103-64-63-62-51-50-49-48-154-153-152-151-156-60-47-150-5-4-22-19-16-13-10-21-18-15-12-9-255,35-13-15,,]"
133	            [JA3: dac10c3caa29f6c6ce48ae4c2fdca84a]
The camera company's engineers suggest that I "turn off" TLS support on FileZilla, to which I respond:
#1 - That is not possible.
#2 - A modern FTP server MUST support TLS security.

What remains unexplained is why Cerebus FTP accepts the connection when it is set to accept only TLSv3. (Perhaps they ignore the coding inconsistency?)

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: TLS Error on FileZilla 1.2

#13 Post by botg » 2022-01-25 10:10

For historical reasons, the TLS version printed in the various record layer and handshake message packets are an absolute clusterfuck. Nothing to worry about here, situation normal, all fucked up.
I was a bit surprised that FileZilla does not appear to send any sort of rejection.
It cannot, as the connection is in an in-between state.
The impression I get is that FileZilla simply stops communicating with the camera. And then the camera 'times out'.
FileZilla Server closes the connection. Not noticing that the connection got closed is the client's issue.


According to the package dump your client doesn't support elliptic curve cryptography, in particular it doesn't support X.509 certificates with an elliptic curve signature. Algorithms with elliptic curve cryptography were added to TLS 1.1 as an extension in 2006, and made part of TLS 1.2 in 2008. The certificates generated by FileZilla Server are signed using ECDSA.

The best option would be to update your client to support ECDSA (and ECDHE while at it). Alternatively you could generate your TLS certificates outside of FileZilla Server signed using RSA, though this will come at the cost of more expensive handshakes as it's a far slower algorithm.

CrimpOn
226 Transfer OK
Posts: 103
Joined: 2021-10-01 18:25
First name: D
Last name: B

Re: TLS Error on FileZilla 1.2

#14 Post by CrimpOn » 2022-01-25 19:10

Thanks for the thorough explanation. (My "aha moment" being totally incorrect.)

I notice that the camera connection refers to Cipher Suites and Signature Algorithms using hex codes (0x00a5, 0x601, etc.)
Would like to direct them to a reference for the specific ECDSA and ECDHE certificate mechanisms used by FileZilla. I don't find ECDSA or ECDHE on the RFC (pages 85-86)
https://datatracker.ietf.org/doc/html/rfc5246
Is there a better reference document?

I'm 90% certain that these guys just picked up an FTP package to bundle with their camera firmware (sigh). So incorporating support for newer algorithms may be beyond their capability. I am a bit ticked off that they use Cerebus FTP as their example platform since the least costly version of Cerebus is $500.

Tempted to look at Let's Encrypt, but cannot find information on their web site as to which Cipher Suite they use so that I can see if the camera supports it. Definitely not worth the effort if it doesn't.

Can you please mark this post "Solved"?

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: TLS Error on FileZilla 1.2

#15 Post by botg » 2022-01-26 08:48

See https://datatracker.ietf.org/doc/html/rfc4492#section-6 and https://datatracker.ietf.org/doc/html/r ... -7.4.1.4.1 for reference.

FileZilla Server also uses ECDSA when obtaining certificates from Let's Encrypt or any other ACME directory.

Post Reply