GnuTLS error -12 when trying to connect to with Explicit TLS
Moderator: Project members
Re: GnuTLS error -12 when trying to connect to with Explicit
*sigh*.
I'm starting to dislike priority strings.
Neither SECURE256 nor SECURE128 contain 3DES, but when combined the proper way they suddenly do. What trickery is that?
I'm starting to dislike priority strings.
Neither SECURE256 nor SECURE128 contain 3DES, but when combined the proper way they suddenly do. What trickery is that?
Re: GnuTLS error -12 when trying to connect to with Explicit
Definitely a bug in GnuTLS. Working on a patch as of writing this.
Re: GnuTLS error -12 when trying to connect to with Explicit
Yeah its fixed.
-
- 500 Command not understood
- Posts: 5
- Joined: 2011-09-13 03:02
- First name: mizanul
- Last name: kabir
Re: GnuTLS error -12 when trying to connect to with Explicit
Thanks for it.I find now it is working
Removed signature. No advertisement allowed in these forums.
-
- 500 Command not understood
- Posts: 1
- Joined: 2012-12-06 03:16
- First name: anthony
- Last name: b
Re: GnuTLS error -12 when trying to connect to with Explicit
Thanks. Worked for me too.[/quote]cecemel wrote:I had the same issue as well. Fixed! Thanks!tom_uk wrote:Thank you for this - I was faced with this problem from one of our customers today and this was the answer.Just found a sloution for vsftpd, from this thread, I added ssl_ciphers=HIGH to the vsftd.conf and the latest FileZilla can now connect to the FTP server again.
Thank you very much everyone for all of your posts. Your post helped me resolve my secure ftp issue. I was on the precipice of removing vsftpd from my server out of 5 hours of sheer frustration. I had about as much as i could take from this issue. I am very dismayed by FileZilla's lack of compatibility with old server cyphers.
In order for me to get fillzilla to work with my servers vsftpd service i had to add the following my vsftpd config:
Code: Select all
ssl_ciphers=HIGH
Code: Select all
require_ssl_reuse=NO
Code: Select all
#SSL secure ftp log in settings
ssl_ciphers=HIGH
require_ssl_reuse=NO
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem
Re: GnuTLS error -12 when trying to connect to with Explicit
require_ssl_reuse=NO is not needed.
Re: GnuTLS error -12 when trying to connect to with Explicit
In addition to what botg said, you should also remove ssl_sslv2 as it's very old and vulnerable, you might as well remove ssl_sslv3 too.leibniiz wrote:Code: Select all
#SSL secure ftp log in settings ssl_ciphers=HIGH require_ssl_reuse=NO ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=YES ssl_sslv3=YES rsa_cert_file=/etc/vsftpd/vsftpd.pem
Re: GnuTLS error -12 when trying to connect to with Explicit
I can see the developer's point but see all of ours. YOU CHANGE THE CLIENT without telling us that our server cipher's need to be changed. We have hundreds of people using the filezilla client that the overwhelming "assumption" on server security getting changed instantly breaks.
The response below suggests the developer does NOT understand customers. Telling me to change my server every time Filezilla's development decides a cipher needs to be changed and AFTER I find out since the new client BREAKS my server is not change management.
Our points are legitimate. When the client drops cipher support without a change notice or explicitly telling the thousands of users you blind side thousands of end users and infuriate the server admin's who now have to do extra work just because of this decision.
AND telling us "As for anyone else you have no one but your server admin to blame if they aren't able to take 5-10 seconds out of their day to change the default cipher on their ftp servers." is such unbelievable arrogance I can't even describe it.
3.5.2 works for explicit tls, 3.5.3 worked after I changed my server cipher. I got blind sided AGAIN with 3.6.0 and 3.6.0.2 since there was no "oh you have to change this CIPHER again since we dropped support since your server is not secure enough.
You don't pay for my labor, I wish you did.
The response below suggests the developer does NOT understand customers. Telling me to change my server every time Filezilla's development decides a cipher needs to be changed and AFTER I find out since the new client BREAKS my server is not change management.
Our points are legitimate. When the client drops cipher support without a change notice or explicitly telling the thousands of users you blind side thousands of end users and infuriate the server admin's who now have to do extra work just because of this decision.
AND telling us "As for anyone else you have no one but your server admin to blame if they aren't able to take 5-10 seconds out of their day to change the default cipher on their ftp servers." is such unbelievable arrogance I can't even describe it.
3.5.2 works for explicit tls, 3.5.3 worked after I changed my server cipher. I got blind sided AGAIN with 3.6.0 and 3.6.0.2 since there was no "oh you have to change this CIPHER again since we dropped support since your server is not secure enough.
You don't pay for my labor, I wish you did.
kinsei wrote:I never said saving CPU cycles is silly. But it is silly that you feel the need to save other people's CPU cycles by FORCING them to switch hosts. Who makes you the person who decides what should be more important for us?xeon wrote: I don't see how saving cpu cycles is silly. People who say this don't seem to understand just how much is wasted by using a cipher like 3DES.
If anything needs to be done it's vsftpd's dev needing to change their default cipher to something more efficient such as AES/RC4 or perhaps even multiple ciphers this time.
As for anyone else you have no one but your server admin to blame if they aren't able to take 5-10 seconds out of their day to change the default cipher on their ftp servers.
If an admin can't even do that maybe it's time to find a new host or admin?
Leaving it as an OPTION allows the best of both worlds. Period.
You get what you want and so does everyone else.
I am not going to pay more money to switch to another host so I can use FileZilla's latest client.
Ridiculous.
Re: GnuTLS error -12 when trying to connect to with Explicit
Please note that the statement you quoted is not from the developer.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
Re: GnuTLS error -12 when trying to connect to with Explicit
When having to choose between security and performance, security should always take priority.
-
- 500 Command not understood
- Posts: 1
- Joined: 2013-03-05 08:14
Re: GnuTLS error -12 when trying to connect to with Explicit
Thank you for the sharing.
We use vsftpd on a linux server. Any clients below 3.5.3 connect fine. I too am reverting back to an older version.
We use vsftpd on a linux server. Any clients below 3.5.3 connect fine. I too am reverting back to an older version.
-
- 504 Command not implemented
- Posts: 6
- Joined: 2013-03-20 11:38
- First name: Andrei
- Last name: Vida-Ratiu
Re: GnuTLS error -12 when trying to connect to with Explicit
Hello
I am experiencing this issue with the latest Filezilla Client (3.6.0.2) when trying to connect to my home diskstation server through FTP with explicit TLS.
Here is the dialog:
Connecting to XX.XX.XX.XX:21...
Status: Connection established, waiting for welcome message...
Response: 220 DiskStation FTP server ready.
Command: AUTH TLS
Response: 234 AUTH SSL command successful.
Status: Initializing TLS...
Trace: TLS Handshake successful
Trace: Cipher: AES-256-CBC, MAC: SHA256
Status: Verifying certificate...
Command: USER XXXXXX
Status: TLS/SSL connection established.
Trace: GnuTLS alert 20: Bad record MAC
Error: GnuTLS error -12: A TLS fatal alert has been received.
Error: Could not connect to server
I tried with WinSCP and it works. But I would prefer to use Filezilla. Is there anything I can do? Any indeas?
I am experiencing this issue with the latest Filezilla Client (3.6.0.2) when trying to connect to my home diskstation server through FTP with explicit TLS.
Here is the dialog:
Connecting to XX.XX.XX.XX:21...
Status: Connection established, waiting for welcome message...
Response: 220 DiskStation FTP server ready.
Command: AUTH TLS
Response: 234 AUTH SSL command successful.
Status: Initializing TLS...
Trace: TLS Handshake successful
Trace: Cipher: AES-256-CBC, MAC: SHA256
Status: Verifying certificate...
Command: USER XXXXXX
Status: TLS/SSL connection established.
Trace: GnuTLS alert 20: Bad record MAC
Error: GnuTLS error -12: A TLS fatal alert has been received.
Error: Could not connect to server
I tried with WinSCP and it works. But I would prefer to use Filezilla. Is there anything I can do? Any indeas?
Re: GnuTLS error -12 when trying to connect to with Explicit
Do you know what OS and FTP server software the target runs, and if it can be updated?
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
-
- 504 Command not implemented
- Posts: 6
- Joined: 2013-03-20 11:38
- First name: Andrei
- Last name: Vida-Ratiu
Re: GnuTLS error -12 when trying to connect to with Explicit
The server is a DS211j. The operating system is a proprietary version of Linux that uses a web interface. The version is a DSM 4.2-3202. I don't know if I can change the configuration of the server.
It is true that I recently updated the OS to the version mentioned above. Since then the problem. As I also mentioned, with WinSCP works ok. I can connect and work with the files.
I logged on through SSH. It says: BusyBox v1.16.1 (2013-03-01 01:20:13 CST) built-in shell (ash).
It is true that I recently updated the OS to the version mentioned above. Since then the problem. As I also mentioned, with WinSCP works ok. I can connect and work with the files.
I logged on through SSH. It says: BusyBox v1.16.1 (2013-03-01 01:20:13 CST) built-in shell (ash).
Re: GnuTLS error -12 when trying to connect to with Explicit
That's some type of Linux. In most cases the configuration can be updated/changed. The question is if it can be changed permanently.
Would be good to know the exact FTP server daemon used (vsftpd, ProFTPd, PureFTPd, etc...). Those have verbose manpages where the exact configuration can be looked up. vsftpd is already known in this thread.
Would be good to know the exact FTP server daemon used (vsftpd, ProFTPd, PureFTPd, etc...). Those have verbose manpages where the exact configuration can be looked up. vsftpd is already known in this thread.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org