FTP over TLS

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
Schmilbilic
500 Command not understood
Posts: 5
Joined: 2019-11-12 21:03
First name: Hubert
Last name: Cadic

FTP over TLS

#1 Post by Schmilbilic » 2019-11-28 13:35

Hi,
I established an FTPes (Explicit TLS) connection between a FileZilla client and my FileZilla server in passive mode. The connection is done correctly and the file transfer works in both directions. When I establish this same connection from android smartphone application (FtpCafe and AndFTP) the connection is also made but access to the remote directory is denied to me with the following message on the server :

150 Opening data channel for directory listing of "/"
450 TLS session of data connection is not resumed or the session does not match the control connection


I feel like I'm missing something in the application configuration for port 990 (the DATA port?) On which FileZilla server is open in TLS mode.
Thank you for your help,

H. C.

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: FTP over TLS

#2 Post by botg » 2019-11-28 16:42

This is a client-side issue. Your mobile clients do not protect themselves against data connection stealing attacks.

Please make sure to use a client that uses session resumption on the data connection.

Schmilbilic
500 Command not understood
Posts: 5
Joined: 2019-11-12 21:03
First name: Hubert
Last name: Cadic

Re: FTP over TLS

#3 Post by Schmilbilic » 2019-11-28 20:58

Thanks for your help,
Using the AndFTP application, I selected the option to enable error recovery, maybe the right one you suggested to me.
I also tried the EPSV option with IPV4 and the Keep-Alive option on the command channel.
For these 3 tests, the result is unchanged. Below is the result of the connection.

> 230 Logged on
> FEAT
> 211-Features:
> MDTM
> REST STREAM
> SIZE
> MODE Z
> MLST type*;size*;modify*;
> MLSD
> AUTH SSL
> AUTH TLS
> PROT
> PBSZ
> UTF8
> CLNT
> MFMT
> EPSV
> EPRT
> 211 End
> CLNT AndFTP
> 200 Don't care
> PBSZ 0
> 200 PBSZ=0
> PROT P
> 200 Protection level set to P
> CWD /
> 250 CWD successful. "/" is current directory.
> FEAT
> 211-Features:
> MDTM
> REST STREAM
> SIZE
> MODE Z
> MLST type*;size*;modify*;
> MLSD
> AUTH SSL
> AUTH TLS
> PROT
> PBSZ
> UTF8
> CLNT
> MFMT
> EPSV
> EPRT
> 211 End
> EPSV
> 229 Entering Extended Passive Mode (|||20059|)
> 229 Entering Extended Passive Mode (|||20076|) si l'option EPSV avec IPV4 ) n'est pas sélectionné
> MLSD
> 150 Opening data channel for directory listing of "/"
> 450 TLS session of data connection has not resumed or the session does not match the control connection

By testing the FileZilla server with https://ftptest.net/ No problems, as with a client FileZilla. Below, the result of the connection ftptest

.> 230 Logged on
> SYST
> 215 UNIX emulated by FileZilla
> FEAT
> 211-Features:
> MDTM
> REST STREAM
> SIZE
> MODE Z
> MLST type*;size*;modify*;
> MLSD
> AUTH SSL
> AUTH TLS
> PROT
> PBSZ
> UTF8
> CLNT
> MFMT
> EPSV
> EPRT
> 211 End
> PBSZ 0
> 200 PBSZ=0 ( Don't care avec AndFTP )
> PROT P
> 200 Protection level set to P
> PWD
> 257 "/" is current directory.
> TYPE I
> 200 Type set to I
> PASV
> 227 Entering Passive Mode (91,163,156,105,78,56)
> TLS connection for data connection established
> MLSD
> 150 Opening data channel for directory listing of "/"
> 226 Successfully transferred "/"
> disconnected.


I do not know if this can help for a diagnosis
Please help.
thanks

H. C.

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: FTP over TLS

#4 Post by botg » 2019-11-28 21:03

botg wrote:
2019-11-28 16:42
This is a client-side issue. Your mobile clients do not protect themselves against data connection stealing attacks.

Please make sure to use a client that uses session resumption on the data connection.
I can only repeat myself on this one.

User avatar
boco
Contributor
Posts: 26913
Joined: 2006-05-01 03:28
Location: Germany

Re: FTP over TLS

#5 Post by boco » 2019-11-29 01:53

Clients not supporting TLS session resumption will not work with FileZilla Server. While the protection can be disabled in the FileZilla Server settings (TLS page), it is generally NOT recommended, as it lowers overall security.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org

Schmilbilic
500 Command not understood
Posts: 5
Joined: 2019-11-12 21:03
First name: Hubert
Last name: Cadic

Re: FTP over TLS

#6 Post by Schmilbilic » 2019-11-29 09:23

Hello,
From my AndFTP mobile application I made a connection with my FileZilla server in FTP mode Explicit over TLS but by unchecking the Settings option on the Server:
" Require TLS session resuming on data connection when using PROT P "
Access and transfert of files work fine.
But doing that, is my connection less secure. I don't understand exactly the effect of this option.?
I also suppressed listening of server on port 990 ( used only for implicit connection I presume ? )
Thanks,
H. C.

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: FTP over TLS

#7 Post by botg » 2019-11-29 10:39

If you disable this option the server becomes vulnerable to connection stealing attacks. You should not uncheck this option.

Post Reply