Logging with domain from phone doesn't work

[mutny]

I have this problem that I can't figure out. I have a domain registered with No-ip, but I cannot log into the FileZilla Server using the domain. The domain has a Let's Encrypt certificate issued through an Asus router. What's interesting is that when I use my IP address then logging in is done without a problem (from LAN and from outside). Logging in from the FileZilla client on the same PC as the server goes without a problem (using the domain). I have no idea what the problem is.


When trying to log in (from phone) with domain, log shows problem with resuming session

Code: Select all

<Date/Time> Info [Type] Message
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 [Response] 220-FileZilla Server 1.7.3
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 [Response] 220-Please visit https://filezilla-project.org/
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 [Response] 220 Hello Endrju!
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 [Command] AUTH TLS
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 [Response] 234 Using authentication type TLS.
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 [Command] USER endrju
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 [Response] 331 Please, specify the password.
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 [Command] PASS ****
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Response] 230 Login successful.
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Command] FEAT
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Response] 211-Features:
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Response] 211 End
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Command] OPTS UTF8 ON
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Response] 202 UTF8 mode is always enabled. No need to send this command
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Command] TYPE I
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Response] 200 Type set to I
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Command] PBSZ 0
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Response] 200 PBSZ=0
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Command] PROT P
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Response] 200 Protection level set to P
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Command] PWD
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Response] 257 "/" is current directory.
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Command] SYST
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Response] 215 UNIX emulated by FileZilla.
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Command] NOOP
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Response] 200 Noop ok.
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Command] MLST /
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Response] 250-Listing /
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Response] 250 End
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Command] NOOP
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Response] 200 Noop ok.
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Command] CWD /
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Response] 250 CWD command successful
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Command] PASV
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Response] 227 Entering Passive Mode (172,16,0,10,195,137)
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Command] MLSD
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Response] 150 Starting data transfer.
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Error] TLS session of data connection not resumed.
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Response] 425 Unable to build data connection: TLS session of data connection not resumed.
<10-12-2023 08:00:49> FTP Server [Status] Session 13 ended gracefully.
<10-12-2023 08:00:49> FTP Session 14 172.16.0.1 [Response] 220-FileZilla Server 1.7.3

When trying to log in (from the phone) with an external IP address, everything is as it should be

Code: Select all

<Date/Time> Info [Type] Message
<10-12-2023 07:55:55> Admin UI [Status] Successfully connected to server 127.0.0.1:2611. Server's version is 1.7.3, running on x86_64-w64-mingw32.
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 [Response] 220-FileZilla Server 1.7.3
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 [Response] 220-Please visit https://filezilla-project.org/
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 [Response] 220 Hello Endrju!
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 [Command] AUTH TLS
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 [Response] 234 Using authentication type TLS.
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 [Command] USER endrju
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 [Response] 331 Please, specify the password.
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 [Command] PASS ****
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Response] 230 Login successful.
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Command] FEAT
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Response] 211-Features:
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Response] 211 End
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Command] OPTS UTF8 ON
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Response] 202 UTF8 mode is always enabled. No need to send this command
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Command] TYPE I
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Response] 200 Type set to I
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Command] PBSZ 0
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Response] 200 PBSZ=0
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Command] PROT P
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Response] 200 Protection level set to P
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Command] PWD
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Response] 257 "/" is current directory.
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Command] SYST
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Response] 215 UNIX emulated by FileZilla.
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Command] NOOP
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Response] 200 Noop ok.
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Command] MLST /
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Response] 250-Listing /
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Response] 250 End

1.png (16.2 KiB) Viewed 9435 times

2.png (23.07 KiB) Viewed 9435 times

Windows 11 (all updates installed)
Router Asus RT-AX86U (Stock firmware) current
FileZilla Server 1.7.3 (latest)

Do you have any idea where the problem might be?

[oibaf]

The non-functioning case is failing when issuing the MLSD command, which requires a data connection:

Code: Select all

<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Command] MLSD
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Response] 150 Starting data transfer.
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Error] TLS session of data connection not resumed.
<10-12-2023 08:00:49> FTP Session 13 172.16.0.1 endrju [Response] 425 Unable to build data connection: TLS session of data connection not resumed.

The log of the case you say it's working doesn't show that, it shows that it stops when it issues the MLST command, which doesn't require a data connection:

Code: Select all

<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Command] MLST /
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Response] 250-Listing /
<10-12-2023 07:59:41> FTP Session 11 172.16.0.1 endrju [Response] 250 End

Also the non-functioning case issues the MSLT command, but then continues with the MLSD command.

In both cases you're connecting from 172.16.0.1, which is a local address, not a public one.

The root cause of your issue is that your phone's client doesn't support TLS session resumption, which FileZilla Server requires for security reasons.

[mutny]

The log of the case you say it's working doesn't show that, it shows that it stops when it issues the MLST command, which doesn't require a data connection:

I just didn't enter any of the directories (I stopped at root), here is the log after entering the directory.

Code: Select all

<Date/Time> Info [Type] Message
<10-12-2023 12:20:26> Admin UI [Status] Successfully connected to server 127.0.0.1:2611. Server's version is 1.7.3, running on x86_64-w64-mingw32.
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 [Response] 220-FileZilla Server 1.7.3
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 [Response] 220-Please visit https://filezilla-project.org/
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 [Response] 220 Hello Endrju!
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 [Command] AUTH TLS
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 [Response] 234 Using authentication type TLS.
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 [Command] USER endrju
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 [Response] 331 Please, specify the password.
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 [Command] PASS ****
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Response] 230 Login successful.
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Command] FEAT
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Response] 211-Features:
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Response] 211 End
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Command] OPTS UTF8 ON
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Response] 202 UTF8 mode is always enabled. No need to send this command
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Command] TYPE I
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Response] 200 Type set to I
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Command] PBSZ 0
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Response] 200 PBSZ=0
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Command] PROT P
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Response] 200 Protection level set to P
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Command] PWD
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Response] 257 "/" is current directory.
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Command] SYST
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Response] 215 UNIX emulated by FileZilla.
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Command] NOOP
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Response] 200 Noop ok.
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Command] MLST /
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Response] 250-Listing /
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Response] 250 End
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Command] NOOP
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Response] 200 Noop ok.
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Command] CWD /
<10-12-2023 12:20:40> FTP Session 53 172.16.0.1 endrju [Response] 250 CWD command successful
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Command] PASV
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Response] 227 Entering Passive Mode (172,16,0,10,195,130)
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Command] MLSD
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Response] 150 Starting data transfer.
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Response] 226 Operation successful
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Command] NOOP
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Response] 200 Noop ok.
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Command] CWD /Apps/
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Response] 250 CWD command successful
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Command] PASV
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Response] 227 Entering Passive Mode (172,16,0,10,195,106)
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Command] MLSD
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Response] 150 Starting data transfer.
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Response] 226 Operation successful
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Command] NOOP
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Response] 200 Noop ok.
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Command] CWD /mp3/
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Response] 250 CWD command successful
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Command] PASV
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Response] 227 Entering Passive Mode (172,16,0,10,195,179)
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Command] MLSD
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Response] 150 Starting data transfer.
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Response] 226 Operation successful
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Command] NOOP
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Response] 200 Noop ok.
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Command] CWD /SKŁADANKA/
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Response] 250 CWD command successful
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Command] PASV
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Response] 227 Entering Passive Mode (172,16,0,10,195,164)
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Command] MLSD
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Response] 150 Starting data transfer.
<10-12-2023 12:20:41> FTP Session 53 172.16.0.1 endrju [Response] 226 Operation successful

In both cases you're connecting from 172.16.0.1, which is a local address, not a public one.
The root cause of your issue is that your phone's client doesn't support TLS session resumption, which FileZilla Server requires for security reasons.

This is the address of the router, on the phone I use the public address eg. 88.95.61.65 to connect to the server and not the LAN address. The server is on the PC with an address 172.16.0.10. Then how do I understand that TLS session resumption works when I connect using an IP address but doesn't work when I use a domain?

[oibaf]

It is kinda odd that the client's IP is the same as the router's. This could happen if the client is actually connecting to a proxy on the router and then the FileZilla Server sees the router as its own client.

Is that your case? In any event, whether or not you're connecting from/to a public IP address should have no effect on whether the client supports session resumption, so there's some information missing here.

[mutny]

This is a very strange situation for me too. I do not use any proxy, at least not that I know of.
In my case, the configuration looks very simple. PC with FileZilla Server installed and FileZilla Client portable. Through the FileZilla Client I can connect to the server through my domain and here everything is ok

This is a test done from outside the network, the server is reachable. The domain resolves to an ip address, is how it should work.

https://ftptest.net/

22.jpg (497.48 KiB) Viewed 9298 times

The problem is only when I use the phone with the file manager installed on Android, I cannot connect to the server either from the LAN or from outside the network using my domain. What's most interesting is that by using my internal IP address I can connect to the server while I'm on the LAN and also from outside the LAN. All routers now have a built-in option to use the domain for LAN connections, maybe except of course MikroTik (there you have to configure Hairpin NAT yourself). I think there is a DNS problem somewhere but I really don't know where to look for it. If more information is needed then tell me what is needed then I will post.

[botg]

What's most interesting is that by using my internal IP address I can connect to the server while I'm on the LAN and also from outside the LAN

That would be most interesting indeed. While outside your LAN, you shouldn't be able to use your internal address to connect to the server.

[mutny]

That would be most interesting indeed. While outside your LAN, you shouldn't be able to use your internal address to connect to the server.

oops, my mistake, of course I meant my external address
_

333.jpg (71.57 KiB) Viewed 9284 times

[mutny]

Can someone explain to me what this problem is in

Connection to server from outside (smartphone) using IP address works without a problem
however
Connection to server from outside (smartphone) using my domain fails (TLS session of data connection not resumed)

fil.png (10.76 KiB) Viewed 9141 times

Generally when connecting to the server I can only use the IP address. Using an external IP address, I can connect to the server from outside and also being in the LAN, of course, connect with an internal IP address from the LAN also works. The problem only occurs on the phone

[botg]

My guess? Faulty client. It uses TLS 1.2, and when establishing the data connection to the peer IP, it fails to copy over the SNI from the control connection, thus making resumption unavailable.

When resuming sessions, the SNI of the resumed session must match the SNI of the resumed from session. If there's a mismatch, resumption must fail. See RFC 6066 section 3. See also RFC 8446 section 4.6.1 for ever so subtly different semantics in TLS 1.3. (MUST NOT vs. SHOULD NOT)

[mutny]

My guess? Faulty client. It uses TLS 1.2, and when establishing the data connection to the peer IP, it fails to copy over the SNI from the control connection, thus making resumption unavailable.

You may be right but I installed other servers for testing purposes: Buru SFTP Server and Bitvise SSH Server and there login using the domain works as it should. Anyway FileZilla Client has no problem using the domain, but unfortunately I must to have some client on Android. Thanks for your help @botg.

[botg]

Most other servers don't care about connection security. FileZilla Server is very strict in order to protect your data.