GnuTLS error -12 when trying to connect to with Explicit TLS

[botg]

*sigh*.

I'm starting to dislike priority strings.

Neither SECURE256 nor SECURE128 contain 3DES, but when combined the proper way they suddenly do. What trickery is that?

[botg]

Definitely a bug in GnuTLS. Working on a patch as of writing this.

[iNDiGLo]

Yeah its fixed.

[Pepdeal]

Thanks for it.I find now it is working

[leibniiz]

Just found a sloution for vsftpd, from this thread, I added ssl_ciphers=HIGH to the vsftd.conf and the latest FileZilla can now connect to the FTP server again.

Thank you for this - I was faced with this problem from one of our customers today and this was the answer.

I had the same issue as well. Fixed! Thanks!

Thanks. Worked for me too.[/quote]


Thank you very much everyone for all of your posts. Your post helped me resolve my secure ftp issue. I was on the precipice of removing vsftpd from my server out of 5 hours of sheer frustration. I had about as much as i could take from this issue. I am very dismayed by FileZilla's lack of compatibility with old server cyphers.

In order for me to get fillzilla to work with my servers vsftpd service i had to add the following my vsftpd config:

Code: Select all

ssl_ciphers=HIGH

and

Code: Select all

require_ssl_reuse=NO

The following is a snippet from my modified vsftp.conf file:

Code: Select all

#SSL secure ftp log in settings
ssl_ciphers=HIGH
require_ssl_reuse=NO
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem

[botg]

require_ssl_reuse=NO is not needed.

[xeon]

Code: Select all

#SSL secure ftp log in settings
ssl_ciphers=HIGH
require_ssl_reuse=NO
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem

In addition to what botg said, you should also remove ssl_sslv2 as it's very old and vulnerable, you might as well remove ssl_sslv3 too.

[jstrowe]

I can see the developer's point but see all of ours. YOU CHANGE THE CLIENT without telling us that our server cipher's need to be changed. We have hundreds of people using the filezilla client that the overwhelming "assumption" on server security getting changed instantly breaks.

The response below suggests the developer does NOT understand customers. Telling me to change my server every time Filezilla's development decides a cipher needs to be changed and AFTER I find out since the new client BREAKS my server is not change management.

Our points are legitimate. When the client drops cipher support without a change notice or explicitly telling the thousands of users you blind side thousands of end users and infuriate the server admin's who now have to do extra work just because of this decision.

AND telling us "As for anyone else you have no one but your server admin to blame if they aren't able to take 5-10 seconds out of their day to change the default cipher on their ftp servers." is such unbelievable arrogance I can't even describe it.

3.5.2 works for explicit tls, 3.5.3 worked after I changed my server cipher. I got blind sided AGAIN with 3.6.0 and 3.6.0.2 since there was no "oh you have to change this CIPHER again since we dropped support since your server is not secure enough.

You don't pay for my labor, I wish you did.

I don't see how saving cpu cycles is silly. People who say this don't seem to understand just how much is wasted by using a cipher like 3DES.

If anything needs to be done it's vsftpd's dev needing to change their default cipher to something more efficient such as AES/RC4 or perhaps even multiple ciphers this time.

As for anyone else you have no one but your server admin to blame if they aren't able to take 5-10 seconds out of their day to change the default cipher on their ftp servers.

If an admin can't even do that maybe it's time to find a new host or admin?

I never said saving CPU cycles is silly. But it is silly that you feel the need to save other people's CPU cycles by FORCING them to switch hosts. Who makes you the person who decides what should be more important for us?

Leaving it as an OPTION allows the best of both worlds. Period.

You get what you want and so does everyone else.

I am not going to pay more money to switch to another host so I can use FileZilla's latest client.

Ridiculous.

[boco]

Please note that the statement you quoted is not from the developer.

[botg]

When having to choose between security and performance, security should always take priority.

[lovelycoser]

Thank you for the sharing.
We use vsftpd on a linux server. Any clients below 3.5.3 connect fine. I too am reverting back to an older version.

[andreiv3103]

Hello
I am experiencing this issue with the latest Filezilla Client (3.6.0.2) when trying to connect to my home diskstation server through FTP with explicit TLS.

Here is the dialog:


Connecting to XX.XX.XX.XX:21...
Status: Connection established, waiting for welcome message...
Response: 220 DiskStation FTP server ready.
Command: AUTH TLS
Response: 234 AUTH SSL command successful.
Status: Initializing TLS...
Trace: TLS Handshake successful
Trace: Cipher: AES-256-CBC, MAC: SHA256
Status: Verifying certificate...
Command: USER XXXXXX
Status: TLS/SSL connection established.
Trace: GnuTLS alert 20: Bad record MAC
Error: GnuTLS error -12: A TLS fatal alert has been received.
Error: Could not connect to server

I tried with WinSCP and it works. But I would prefer to use Filezilla. Is there anything I can do? Any indeas?

[boco]

Do you know what OS and FTP server software the target runs, and if it can be updated?

[andreiv3103]

The server is a DS211j. The operating system is a proprietary version of Linux that uses a web interface. The version is a DSM 4.2-3202. I don't know if I can change the configuration of the server.

It is true that I recently updated the OS to the version mentioned above. Since then the problem. As I also mentioned, with WinSCP works ok. I can connect and work with the files.

I logged on through SSH. It says: BusyBox v1.16.1 (2013-03-01 01:20:13 CST) built-in shell (ash).

[boco]

That's some type of Linux. In most cases the configuration can be updated/changed. The question is if it can be changed permanently.

Would be good to know the exact FTP server daemon used (vsftpd, ProFTPd, PureFTPd, etc...). Those have verbose manpages where the exact configuration can be looked up. vsftpd is already known in this thread.