FileZilla Client does not see/find newly updated certificate on primary connection

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
FileZillaQs
500 Command not understood
Posts: 4
Joined: 2019-01-12 01:03
First name: Scott
Last name: Qs

FileZilla Client does not see/find newly updated certificate on primary connection

#1 Post by FileZillaQs » 2019-01-12 01:46

I am using FileZilla Client 3.39.0 on Windows x64.

I run a website that uses IIS 10's FTP server and I have it setup to use Explicit FTP over TLS and it's worked great for the last year+. I bought the server certificate through Digicert.

The server certificate expired on 2019-01-04. I renewed the certificate at Digicert, one that is good through 2021. I then installed it on the Windows server, and updated the FTP site to use the new certificate.

However, when I try connecting with FileZilla Client, the log reports the following:

Code: Select all

Status:	Connecting to xxx.xxx.xxx.xxx:21...
Status:	Connection established, waiting for welcome message...
Status:	Initializing TLS...
But then up pops a warning saying that the certificate expired on 2019-01-04.

Image

If I click Ok, it continues, but then it says: Primary connection and data connection certificates don't match.

Here's the log following the "Initializing TLS..."

Code: Select all

Status:	Verifying certificate...
Status:	TLS connection established.
Status:	Logged in
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/" is current directory.
Command:	TYPE I
Response:	200 Type set to I.
Command:	PASV
Response:	227 Entering Passive Mode (38,101,199,155,19,46).
Command:	LIST
Response:	150 Opening BINARY mode data connection.
Error:	Primary connection and data connection certificates don't match.
Error:	Transfer connection interrupted: ECONNABORTED - Connection aborted
Response:	226 Transfer complete.
Error:	Failed to retrieve directory listing
Status:	Disconnected from server: ECONNABORTED - Connection aborted
It's like the Initializing TLS logic is somehow grabbing the OLD certificate, but once it connects, it's grabbing the NEW certificate and seeing they don't match.

If I update the IIS FTP server to use the OLD certificate and retry connecting, I get the same expired certificate warning on Initializing TLS, but then when I click Ok it connects and I can transfer files without issue (albeit, I have to confirm that the certificate is expired every transfer).

What's going on here? Is FileZilla Client caching the Initializing TLS certificate? I've tried deleting the trustedcerts.xml file, but that didn't make any difference.

There is just one setting for the FTP SSL Certificate in IIS, so I don't think it's a server-side issue.

Thanks

FileZillaQs
500 Command not understood
Posts: 4
Joined: 2019-01-12 01:03
First name: Scott
Last name: Qs

Re: FileZilla Client does not see/find newly updated certificate on primary connection

#2 Post by FileZillaQs » 2019-01-12 01:52

FWIW, I RDPed into a computer on the other side of the US and tried connecting via FileZilla Client and got the same behavior - during Initialize TLS it gave me the warning of the expired certificate, even though the FTP site on IIS is setup to use the new one. And then when I clicked OK, it came back with the same error, "Primary connection and data connection certificates don't match."

This leads me to believe it's not related to FileZilla Client or certificate caching, since the server I RDPed into has never attempted to access this FTP site before.

Does anyone have any ideas, or has anyone experienced this issue before?

Thanks

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: FileZilla Client does not see/find newly updated certificate on primary connection

#3 Post by botg » 2019-01-12 11:00

IIS is a Microsoft product. Have you tried rebooting yet?

FileZillaQs
500 Command not understood
Posts: 4
Joined: 2019-01-12 01:03
First name: Scott
Last name: Qs

Re: FileZilla Client does not see/find newly updated certificate on primary connection

#4 Post by FileZillaQs » 2019-01-13 03:24

Yes, I have rebooted - still exhibits the same behavior.

FileZillaQs
500 Command not understood
Posts: 4
Joined: 2019-01-12 01:03
First name: Scott
Last name: Qs

Re: FileZilla Client does not see/find newly updated certificate on primary connection

#5 Post by FileZillaQs » 2019-01-13 03:31

Tim, can you provide any background on how FileZilla Client determines what certificate to use when making the primary connection (Initializing TLS) vs. what certificate to use when making the data connection?

My hunch is that the problem lies somewhere in that realm.

Since the issue could also be on the server-side, I've posted this question on ServerFault.com, as well - https://serverfault.com/questions/94880 ... -newly-upd

Thanks for taking the time to read this.

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: FileZilla Client does not see/find newly updated certificate on primary connection

#6 Post by botg » 2019-01-13 16:17

Which certificate is being used is determined entirely server-side. To prevent connection stealing attacks, FileZilla requires that the server selects the same certificate for both the control connection and the data connection.

Post Reply