FileZilla Forums

Hi,

I've upgraded Filezilla Server from 0.9.6 to the latest version and FTPS is no longer working through the firewall. What changes were made which would cause this?

It works fine on the local network (from another PC), but no longer works from a public IP, however this was working just fine before the upgrade (as all necessary ports were open etc.) I've tried both active and passive and nothing appears to work except normal FTP (non-secure). I'm testing externally using the latest Filezilla Client and it logs in ok, but then gets stuck at "Retrieving Directory Listing..." and eventually times out.

I understand this is a firewall issue, but not sure why the upgrade would suddenly break things unless something else is going on - I've put in the passive ports and public DNS/IP in the config (as this was lost during the upgrade), but this hasn't helped.

Thanks

Firewall rules are application-specific. FileZilla Server 1.x is a completely new application, so, you need to remove and re-do the firewall rules for the new executable.

I did this already in Windows as I can access it from another PC on the same network just fine.

Is there anything else it could be?

Rolling back to the old 0.9.6 version (with aboslutely no changes to the external firewall) and it's now working again, so something must have changed in the way that passive FTPS transfers work from old to the new version, so whilst it appears the firewall is a problem, something must have changed.

Given that delete permissions have also been rolled into write permissions and logging settings are still very basic compared to before (another reason for rolling back), it looks like I'll need to find another product which is really disappointing.

All I can say is right now, this product has taken 1 step forward, but 2 steps back which is a real shame and I guess the devs just don't care enough to listen to the people actually using it.

I fully approve!!!
The update is terrible!
FTPS does not work, most likely due to the fact that the server does not give the correct addresses for the data connection. Functionality has gone bad. Many clients stopped working correctly. Need to look for another product. Very sad.

You need to tell FileZilla Server your public address if you want to use passive mode behind a NAT router.

botg wrote: ↑

2023-03-29 18:02

You need to tell FileZilla Server your public address if you want to use passive mode behind a NAT router.

I understand that, but as explained already, this has already been done and if I hadn't, then it wouldn't be working on the old version either, but it does.

Something in the new version broke for FTPS connections - I don't know what, but given that someone else is also having the same problem suggests it's not just simple config issue. The fact that I got it working with a rollback confirms this too.

Where are the devs?

regional wrote: ↑

2023-03-29 18:09

Something in the new version broke for FTPS connections - I don't know what, but given that someone else is also having the same problem suggests it's not just simple config issue. The fact that I got it working with a rollback confirms this too.

Where are the devs?

I'm not a dev (of FileZilla at least) but in order to help, it might be useful to know what exactly goes wrong (connection refused, connection timeout, etc) and what the logs of both sides look like. You've said that you tested it yourself, so can you increase the logging levels of both sides to the max, do a test and provide the logs of both sides?

We understand it doesn't work for you, but in order to help, we need to know what are the symptoms.

What errors do you get? Can you paste here the log output of your client, set to verbose?

Does it, by any chance, say anything related to the TLS version? FileZilla Server 1.x requires at least TLS 1.2. That's just one of the possible causes.

We are having the exact same issues after upgrading from the 0.9.6 to 1.6.7. All of our vendors trying to send files are only able to create a blank file in the directory and all receive the error below.
"425 Unable to build data connection: TLS session of data connection not resumed."

Server is configured to accept a minimum TLS version of 1.2, is configured for passive mode with a port range of 50000-50050 with external IP configured and requires explicit FTP over TLS.
We have also confirmed this issue does not occur when using the FileZilla client and only seems to be affecting those accessing via non-FileZilla clients.

2023-04-26T21:41:58.946Z DI [REDACTED] Session 0x184e4e52990 with ID 756 created.\
2023-04-26T21:41:58.946Z << [REDACTED] 220-FileZilla Server 1.6.7\
2023-04-26T21:41:58.946Z << [REDACTED] 220 Please visit https://filezilla-project.org/\
2023-04-26T21:41:58.992Z >> [REDACTED] AUTH TLS\
2023-04-26T21:41:58.992Z << [REDACTED] 234 Using authentication type TLS.\
2023-04-26T21:41:58.992Z DV [REDACTED] tls_layer_impl::server_handshake()\
2023-04-26T21:41:58.992Z DV [REDACTED] tls_layer_impl::continue_handshake()\
2023-04-26T21:41:58.992Z DV [REDACTED] tls_layer_impl::continue_handshake()\
2023-04-26T21:41:59.086Z DV [REDACTED] tls_layer_impl::continue_handshake()\
2023-04-26T21:41:59.133Z DV [REDACTED] tls_layer_impl::continue_handshake()\
2023-04-26T21:41:59.133Z DI [REDACTED] TLS Handshake successful\
2023-04-26T21:41:59.133Z DI [REDACTED] Protocol: TLS1.2, Key exchange: ECDHE-SECP256R1-RSA-PSS-RSAE-SHA256, Cipher: AES-256-GCM, MAC: AEAD, ALPN: \
2023-04-26T21:41:59.180Z >> [REDACTED] USER Test\
2023-04-26T21:41:59.180Z DI [Throttled Authenticator] Authenticating user Test from IP xxx.xxx.xxx.xxx.\
2023-04-26T21:41:59.180Z << [REDACTED] 331 Please, specify the password.\
2023-04-26T21:41:59.242Z >> [REDACTED] PASS ****\
2023-04-26T21:41:59.242Z DV [File-based Authenticator] Authenticating user 'Test'. Methods requested: (\{ id = 1, set = 1 \}). Available methods: [1].\
2023-04-26T21:41:59.336Z DV [File-based Authenticator] Auth method \{ id = 1, set = 1 \} passed for user 'Test'.\
2023-04-26T21:41:59.336Z DV [File-based Authenticator] impersonation_token: \{ username: "", home: "" \}\
2023-04-26T21:41:59.336Z DV [File-based Authenticator] Authentication for user 'Test' is complete.\
2023-04-26T21:41:59.336Z DV [File-based Authenticator] impersonation_token: \{ username: "", home: "" \}\
2023-04-26T21:41:59.336Z << [REDACTED SESSION] 230 Login successful.\
2023-04-26T21:41:59.383Z >> [REDACTED SESSION] PBSZ 0\
2023-04-26T21:41:59.383Z << [REDACTED SESSION] 200 PBSZ=0\
2023-04-26T21:41:59.430Z >> [REDACTED SESSION] PROT P\
2023-04-26T21:41:59.430Z << [REDACTED SESSION] 200 Protection level set to P\
2023-04-26T21:41:59.477Z >> [REDACTED SESSION] TYPE A\
2023-04-26T21:41:59.477Z << [REDACTED SESSION] 200 Type set to A\
2023-04-26T21:41:59.524Z >> [REDACTED SESSION] PASV\
2023-04-26T21:41:59.524Z DV [REDACTED SESSION] Trying listen(1, 50037) for data connection.\
2023-04-26T21:41:59.524Z << [REDACTED SESSION] 227 Entering Passive Mode (xxx,xxx,xxx,xxx,195,117)\
2023-04-26T21:41:59.586Z >> [REDACTED SESSION] STOR Test.CSV\
2023-04-26T21:41:59.586Z << [REDACTED SESSION] 150 About to start data transfer.\
2023-04-26T21:41:59.617Z DV [REDACTED SESSION] session::on_socket_event(): source = data listen, flag = 2, error = 0, state = -1\
2023-04-26T21:41:59.633Z DV [REDACTED SESSION] tls_layer_impl::server_handshake()\
2023-04-26T21:41:59.633Z DV [REDACTED SESSION] tls_layer_impl::continue_handshake()\
2023-04-26T21:41:59.633Z DV [REDACTED SESSION] tls_layer_impl::continue_handshake()\
2023-04-26T21:41:59.633Z DV [REDACTED SESSION] tls_layer_impl::continue_handshake()\
2023-04-26T21:41:59.680Z DV [REDACTED SESSION] tls_layer_impl::continue_handshake()\
2023-04-26T21:41:59.680Z DI [REDACTED SESSION] TLS Handshake successful\
2023-04-26T21:41:59.680Z DI [REDACTED SESSION] Protocol: TLS1.2, Key exchange: ECDHE-SECP256R1-RSA-PSS-RSAE-SHA256, Cipher: AES-256-GCM, MAC: AEAD, ALPN: \
2023-04-26T21:41:59.680Z DV [REDACTED SESSION] session::on_socket_event(): source = data, flag = 2, error = 0, state = 2\
2023-04-26T21:41:59.680Z !! [REDACTED SESSION] TLS session of data connection not resumed.\
2023-04-26T21:41:59.680Z << [REDACTED SESSION] 425 Unable to build data connection: TLS session of data connection not resumed.\
2023-04-26T21:41:59.868Z >> [REDACTED SESSION] QUIT\
2023-04-26T21:41:59.868Z << [REDACTED SESSION] 221 Goodbye.\
2023-04-26T21:41:59.868Z DV [REDACTED SESSION] tls_layer_impl::shutdown()\
2023-04-26T21:41:59.868Z DV [REDACTED SESSION] tls_layer_impl::continue_shutdown()\
2023-04-26T21:41:59.899Z == [FTP Server] Session 756 ended gracefully.\
2023-04-26T21:41:59.899Z DI [REDACTED] Session 0x184e4e52990 with ID 756 destroyed.}

In your case, it's very easy to explain. TLS session resumption is a now-mandatory security feature (prevents session-stealing). Your client's FTP client software does not support TLS session resumption and must be updated to a version that does.

boco wrote: ↑

2023-04-26 23:27

In your case, it's very easy to explain. TLS session resumption is a now-mandatory security feature (prevents session-stealing). You client's FTP client software does not support TLS session resumption and must be updated to a version that does.

Thank you for this.