Upgrade from 0.9.6 broken FTPS connections

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
regional
500 Command not understood
Posts: 4
Joined: 2023-03-15 19:28

Upgrade from 0.9.6 broken FTPS connections

#1 Post by regional » 2023-03-15 20:52

Hi,

I've upgraded Filezilla Server from 0.9.6 to the latest version and FTPS is no longer working through the firewall. What changes were made which would cause this?

It works fine on the local network (from another PC), but no longer works from a public IP, however this was working just fine before the upgrade (as all necessary ports were open etc.) I've tried both active and passive and nothing appears to work except normal FTP (non-secure). I'm testing externally using the latest Filezilla Client and it logs in ok, but then gets stuck at "Retrieving Directory Listing..." and eventually times out.

I understand this is a firewall issue, but not sure why the upgrade would suddenly break things unless something else is going on - I've put in the passive ports and public DNS/IP in the config (as this was lost during the upgrade), but this hasn't helped.

Thanks

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: Upgrade from 0.9.6 broken FTPS connections

#2 Post by boco » 2023-03-15 21:22

Firewall rules are application-specific. FileZilla Server 1.x is a completely new application, so, you need to remove and re-do the firewall rules for the new executable.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

regional
500 Command not understood
Posts: 4
Joined: 2023-03-15 19:28

Re: Upgrade from 0.9.6 broken FTPS connections

#3 Post by regional » 2023-03-15 21:24

I did this already in Windows as I can access it from another PC on the same network just fine.

Is there anything else it could be?

regional
500 Command not understood
Posts: 4
Joined: 2023-03-15 19:28

Re: Upgrade from 0.9.6 broken FTPS connections

#4 Post by regional » 2023-03-22 19:17

Rolling back to the old 0.9.6 version (with aboslutely no changes to the external firewall) and it's now working again, so something must have changed in the way that passive FTPS transfers work from old to the new version, so whilst it appears the firewall is a problem, something must have changed.

Given that delete permissions have also been rolled into write permissions and logging settings are still very basic compared to before (another reason for rolling back), it looks like I'll need to find another product which is really disappointing.

All I can say is right now, this product has taken 1 step forward, but 2 steps back which is a real shame and I guess the devs just don't care enough to listen to the people actually using it.

ev_xman
500 Command not understood
Posts: 1
Joined: 2023-03-29 17:19
First name: Evgen
Last name: D

Re: Upgrade from 0.9.6 broken FTPS connections

#5 Post by ev_xman » 2023-03-29 17:26

I fully approve!!!
The update is terrible!
FTPS does not work, most likely due to the fact that the server does not give the correct addresses for the data connection. Functionality has gone bad. Many clients stopped working correctly. Need to look for another product. Very sad.

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Upgrade from 0.9.6 broken FTPS connections

#6 Post by botg » 2023-03-29 18:02

You need to tell FileZilla Server your public address if you want to use passive mode behind a NAT router.

regional
500 Command not understood
Posts: 4
Joined: 2023-03-15 19:28

Re: Upgrade from 0.9.6 broken FTPS connections

#7 Post by regional » 2023-03-29 18:09

botg wrote:
2023-03-29 18:02
You need to tell FileZilla Server your public address if you want to use passive mode behind a NAT router.
I understand that, but as explained already, this has already been done and if I hadn't, then it wouldn't be working on the old version either, but it does.

Something in the new version broke for FTPS connections - I don't know what, but given that someone else is also having the same problem suggests it's not just simple config issue. The fact that I got it working with a rollback confirms this too.

Where are the devs?

kimmerin
504 Command not implemented
Posts: 8
Joined: 2023-04-12 20:06

Re: Upgrade from 0.9.6 broken FTPS connections

#8 Post by kimmerin » 2023-04-18 08:11

regional wrote:
2023-03-29 18:09
Something in the new version broke for FTPS connections - I don't know what, but given that someone else is also having the same problem suggests it's not just simple config issue. The fact that I got it working with a rollback confirms this too.

Where are the devs?
I'm not a dev (of FileZilla at least) but in order to help, it might be useful to know what exactly goes wrong (connection refused, connection timeout, etc) and what the logs of both sides look like. You've said that you tested it yourself, so can you increase the logging levels of both sides to the max, do a test and provide the logs of both sides?

User avatar
oibaf
Contributor
Posts: 396
Joined: 2021-07-16 21:02
First name: Fabio
Last name: Alemagna

Re: Upgrade from 0.9.6 broken FTPS connections

#9 Post by oibaf » 2023-04-18 09:24

We understand it doesn't work for you, but in order to help, we need to know what are the symptoms.

What errors do you get? Can you paste here the log output of your client, set to verbose?

Does it, by any chance, say anything related to the TLS version? FileZilla Server 1.x requires at least TLS 1.2. That's just one of the possible causes.

n406c
500 Command not understood
Posts: 2
Joined: 2023-04-26 22:14

Re: Upgrade from 0.9.6 broken FTPS connections

#10 Post by n406c » 2023-04-26 22:41

We are having the exact same issues after upgrading from the 0.9.6 to 1.6.7. All of our vendors trying to send files are only able to create a blank file in the directory and all receive the error below.
"425 Unable to build data connection: TLS session of data connection not resumed."

Server is configured to accept a minimum TLS version of 1.2, is configured for passive mode with a port range of 50000-50050 with external IP configured and requires explicit FTP over TLS.
We have also confirmed this issue does not occur when using the FileZilla client and only seems to be affecting those accessing via non-FileZilla clients.

2023-04-26T21:41:58.946Z DI [REDACTED] Session 0x184e4e52990 with ID 756 created.\
2023-04-26T21:41:58.946Z << [REDACTED] 220-FileZilla Server 1.6.7\
2023-04-26T21:41:58.946Z << [REDACTED] 220 Please visit https://filezilla-project.org/\
2023-04-26T21:41:58.992Z >> [REDACTED] AUTH TLS\
2023-04-26T21:41:58.992Z << [REDACTED] 234 Using authentication type TLS.\
2023-04-26T21:41:58.992Z DV [REDACTED] tls_layer_impl::server_handshake()\
2023-04-26T21:41:58.992Z DV [REDACTED] tls_layer_impl::continue_handshake()\
2023-04-26T21:41:58.992Z DV [REDACTED] tls_layer_impl::continue_handshake()\
2023-04-26T21:41:59.086Z DV [REDACTED] tls_layer_impl::continue_handshake()\
2023-04-26T21:41:59.133Z DV [REDACTED] tls_layer_impl::continue_handshake()\
2023-04-26T21:41:59.133Z DI [REDACTED] TLS Handshake successful\
2023-04-26T21:41:59.133Z DI [REDACTED] Protocol: TLS1.2, Key exchange: ECDHE-SECP256R1-RSA-PSS-RSAE-SHA256, Cipher: AES-256-GCM, MAC: AEAD, ALPN: \
2023-04-26T21:41:59.180Z >> [REDACTED] USER Test\
2023-04-26T21:41:59.180Z DI [Throttled Authenticator] Authenticating user Test from IP xxx.xxx.xxx.xxx.\
2023-04-26T21:41:59.180Z << [REDACTED] 331 Please, specify the password.\
2023-04-26T21:41:59.242Z >> [REDACTED] PASS ****\
2023-04-26T21:41:59.242Z DV [File-based Authenticator] Authenticating user 'Test'. Methods requested: (\{ id = 1, set = 1 \}). Available methods: [1].\
2023-04-26T21:41:59.336Z DV [File-based Authenticator] Auth method \{ id = 1, set = 1 \} passed for user 'Test'.\
2023-04-26T21:41:59.336Z DV [File-based Authenticator] impersonation_token: \{ username: "", home: "" \}\
2023-04-26T21:41:59.336Z DV [File-based Authenticator] Authentication for user 'Test' is complete.\
2023-04-26T21:41:59.336Z DV [File-based Authenticator] impersonation_token: \{ username: "", home: "" \}\
2023-04-26T21:41:59.336Z << [REDACTED SESSION] 230 Login successful.\
2023-04-26T21:41:59.383Z >> [REDACTED SESSION] PBSZ 0\
2023-04-26T21:41:59.383Z << [REDACTED SESSION] 200 PBSZ=0\
2023-04-26T21:41:59.430Z >> [REDACTED SESSION] PROT P\
2023-04-26T21:41:59.430Z << [REDACTED SESSION] 200 Protection level set to P\
2023-04-26T21:41:59.477Z >> [REDACTED SESSION] TYPE A\
2023-04-26T21:41:59.477Z << [REDACTED SESSION] 200 Type set to A\
2023-04-26T21:41:59.524Z >> [REDACTED SESSION] PASV\
2023-04-26T21:41:59.524Z DV [REDACTED SESSION] Trying listen(1, 50037) for data connection.\
2023-04-26T21:41:59.524Z << [REDACTED SESSION] 227 Entering Passive Mode (xxx,xxx,xxx,xxx,195,117)\
2023-04-26T21:41:59.586Z >> [REDACTED SESSION] STOR Test.CSV\
2023-04-26T21:41:59.586Z << [REDACTED SESSION] 150 About to start data transfer.\
2023-04-26T21:41:59.617Z DV [REDACTED SESSION] session::on_socket_event(): source = data listen, flag = 2, error = 0, state = -1\
2023-04-26T21:41:59.633Z DV [REDACTED SESSION] tls_layer_impl::server_handshake()\
2023-04-26T21:41:59.633Z DV [REDACTED SESSION] tls_layer_impl::continue_handshake()\
2023-04-26T21:41:59.633Z DV [REDACTED SESSION] tls_layer_impl::continue_handshake()\
2023-04-26T21:41:59.633Z DV [REDACTED SESSION] tls_layer_impl::continue_handshake()\
2023-04-26T21:41:59.680Z DV [REDACTED SESSION] tls_layer_impl::continue_handshake()\
2023-04-26T21:41:59.680Z DI [REDACTED SESSION] TLS Handshake successful\
2023-04-26T21:41:59.680Z DI [REDACTED SESSION] Protocol: TLS1.2, Key exchange: ECDHE-SECP256R1-RSA-PSS-RSAE-SHA256, Cipher: AES-256-GCM, MAC: AEAD, ALPN: \
2023-04-26T21:41:59.680Z DV [REDACTED SESSION] session::on_socket_event(): source = data, flag = 2, error = 0, state = 2\
2023-04-26T21:41:59.680Z !! [REDACTED SESSION] TLS session of data connection not resumed.\
2023-04-26T21:41:59.680Z << [REDACTED SESSION] 425 Unable to build data connection: TLS session of data connection not resumed.\
2023-04-26T21:41:59.868Z >> [REDACTED SESSION] QUIT\
2023-04-26T21:41:59.868Z << [REDACTED SESSION] 221 Goodbye.\
2023-04-26T21:41:59.868Z DV [REDACTED SESSION] tls_layer_impl::shutdown()\
2023-04-26T21:41:59.868Z DV [REDACTED SESSION] tls_layer_impl::continue_shutdown()\
2023-04-26T21:41:59.899Z == [FTP Server] Session 756 ended gracefully.\
2023-04-26T21:41:59.899Z DI [REDACTED] Session 0x184e4e52990 with ID 756 destroyed.}

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: Upgrade from 0.9.6 broken FTPS connections

#11 Post by boco » 2023-04-26 23:27

In your case, it's very easy to explain. TLS session resumption is a now-mandatory security feature (prevents session-stealing). Your client's FTP client software does not support TLS session resumption and must be updated to a version that does.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

n406c
500 Command not understood
Posts: 2
Joined: 2023-04-26 22:14

Re: Upgrade from 0.9.6 broken FTPS connections

#12 Post by n406c » 2023-04-27 05:17

boco wrote:
2023-04-26 23:27
In your case, it's very easy to explain. TLS session resumption is a now-mandatory security feature (prevents session-stealing). You client's FTP client software does not support TLS session resumption and must be updated to a version that does.
Thank you for this.

Post Reply