FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
morourke
500 Command not understood
Posts: 5
Joined: 2019-05-17 15:45
First name: Mike
Last name: O'Rourke

FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error

#1 Post by morourke » 2019-05-17 16:04

I just upgraded from 3.41.1 to 3.42.1 and previously working connections are now failing with this error:
11:50:16 Error: Certificate of connection does not match expected certificate.
11:50:16 Error: The data connection could not be established: ECONNABORTED - Connection aborted

Turning debug logs on, I see:
...
11:53:11 Trace: TLS Handshake successful
11:53:11 Trace: Protocol: TLS1.2, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD
11:53:12 Error: Certificate of connection does not match expected certificate.
11:53:12 Trace: CTlsSocketImpl::Failure(0)
11:53:12 Trace: CTlsSocketImpl::OnRead()
11:53:12 Error: The data connection could not be established: ECONNABORTED - Connection aborted
11:53:12 Trace: CTransferSocket::TransferEnd(3)
11:53:12 Trace: CFtpControlSocket::OnReceive()
11:53:12 Response: 226 Closing data connection, sent 3041 bytes
...

the same connection from 3.41.1 works correctly and shows:
...
11:55:42 Trace: TLS Handshake successful
11:55:42 Trace: Protocol: TLS1.2, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD
11:55:42 Status: Verifying certificate...
11:55:42 Status: TLS connection established.
11:55:42 Trace: CControlSocket::SendNextCommand()
11:55:42 Trace: CFtpLogonOpData::Send() in state 5
...

Is there something in the 3.42.1 version that has changed surrounding this, or is there some way to tell what about the certificate is no longer acceptable?

thanks,
-mike

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error

#2 Post by botg » 2019-05-17 17:53

Do you at some point anywhere see a message about an unsorted certificate chain?

morourke
500 Command not understood
Posts: 5
Joined: 2019-05-17 15:45
First name: Mike
Last name: O'Rourke

Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error

#3 Post by morourke » 2019-05-19 21:09

Nope. that message is nowhere to be seen in the entire log.

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error

#4 Post by botg » 2019-05-20 15:54

Which operating system are you using? Did you obtain binaries through https://filezilla-project.org/, a third-party distribution, or did you compile from source?

morourke
500 Command not understood
Posts: 5
Joined: 2019-05-17 15:45
First name: Mike
Last name: O'Rourke

Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error

#5 Post by morourke » 2019-05-21 18:57

I have replicated this on both FileZilla on my mac downloaded from https://filezilla-project.org/download.php?type=client, as well as on an Ubuntu Linux host, also downloaded via the same link.

-mike

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error

#6 Post by botg » 2019-05-21 21:20

For further analysis, would it be possible to obtain a temporary guest account on the affected server?

morourke
500 Command not understood
Posts: 5
Joined: 2019-05-17 15:45
First name: Mike
Last name: O'Rourke

Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error

#7 Post by morourke » 2019-05-22 20:14

Absolutely. let me set that up and I will PM you with the login details.

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error

#8 Post by botg » 2019-05-23 08:17

Thank you. I can confirm that the server indeed uses a different certificate for data connection that does not match the control connection. For FTP, matching certificates is an important security requirement to mitigate data connection stealing attacks.

The control connection certificate has the SHA256 fingerprint 76ffac5e761f9dc3c353a08244afe163c54c0335152846580ab0e8c648f3946e with the data connection certificate having fingerprint bab747e19c619b4b352ec63aec07d8f7566d475cbe98f94c8f8d843bea823cec.

Please contact your hosting provider for further assistance so that they can fix the server.

morourke
500 Command not understood
Posts: 5
Joined: 2019-05-17 15:45
First name: Mike
Last name: O'Rourke

Re: FileZilla 3.42.1 fails with Certificate of connection does not match expected certificate error

#9 Post by morourke » 2019-10-17 19:27

I never updated this to document that this is the result of the catch all setting in the S3 provider section. By adding the Wasabi Provider information, it kept this within the right domain and the certificates matched, problem solved.

Post Reply