Error GnuTLS -89 while ftpes:// connection

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
gaba
504 Command not implemented
Posts: 6
Joined: 2020-04-23 18:00
First name: Edward

Error GnuTLS -89 while ftpes:// connection

#1 Post by gaba » 2020-04-23 18:20

Hi!

After last update to version 3.47.2.1 on Debain Buster
(same as 3.48.0-rc1)
got an error while ftpes connection:

Code: Select all

220 Welcome to FTP.
CFtpLogonOpData::ParseResponse() in state 1
CControlSocket::SendNextCommand()
CFtpLogonOpData::Send() in state 2
AUTH TLS
CFtpControlSocket::OnReceive()
234 Proceed with negotiation.
CFtpLogonOpData::ParseResponse() in state 2
Инициализирую TLS...
tls_layer_impl::client_handshake()
tls_layer_impl::continue_handshake()
TLS handshake: About to send CLIENT HELLO
TLS handshake: Sent CLIENT HELLO
tls_layer_impl::on_send()
tls_layer_impl::continue_handshake()
tls_layer_impl::on_read()
tls_layer_impl::continue_handshake()
tls_layer_impl::on_read()
tls_layer_impl::continue_handshake()
TLS handshake: Received SERVER HELLO
TLS handshake: Processed SERVER HELLO
TLS handshake: Received CERTIFICATE
TLS handshake: Processed CERTIFICATE
TLS handshake: Received SERVER KEY EXCHANGE
TLS handshake: Processed SERVER KEY EXCHANGE
tls_layer_impl::failure(-89)
Ошибка:	Ошибка GnuTLS -89: Public key signature verification has failed.
Статус:	Не удалось установить соединение с "ECONNABORTED - Соединение прервано".
CRealControlSocket::OnSocketError(103)
CRealControlSocket::DoClose(66)
CControlSocket::DoClose(66)
CFtpControlSocket::ResetOperation(66)
CControlSocket::ResetOperation(66)
CFtpLogonOpData::Reset(66) in state 4
Previous version Filezilla work fine: 3.44 or 3.45

My system:
Debain Buster 5.4.0-0.bpo.4-amd64
GnuTLS 3.6.7-4+deb10u3

Remote server: vsftpd 3.0.3

How to fix this error?

User avatar
botg
Site Admin
Posts: 35507
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Error GnuTLS -89 while ftpes:// connection

#2 Post by botg » 2020-04-24 08:48

Most likely something is wrong with the server's TLS configuration. What is the server's address?

gaba
504 Command not implemented
Posts: 6
Joined: 2020-04-23 18:00
First name: Edward

Re: Error GnuTLS -89 while ftpes:// connection

#3 Post by gaba » 2020-04-24 14:30

botg wrote:
2020-04-24 08:48
Most likely something is wrong with the server's TLS configuration. What is the server's address?
Previous version Filezilla work fine: 3.44 or 3.45

Now checked version 3.39 from Debian Buster - work fine.

User avatar
botg
Site Admin
Posts: 35507
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Error GnuTLS -89 while ftpes:// connection

#4 Post by botg » 2020-04-24 15:00

The different client version is most likely just the trigger, not the cause.

What is the server's address?

gaba
504 Command not implemented
Posts: 6
Joined: 2020-04-23 18:00
First name: Edward

Re: Error GnuTLS -89 while ftpes:// connection

#5 Post by gaba » 2020-05-07 14:27

I tried on 2 servers.

First server (Gentoo Linux, vsftpd 3.0.3):

Code: Select all

tls_layer_impl::client_handshake()
tls_layer_impl::continue_handshake()
TLS handshake: About to send CLIENT HELLO
TLS handshake: Sent CLIENT HELLO
tls_layer_impl::on_send()
tls_layer_impl::continue_handshake()
tls_layer_impl::on_read()
tls_layer_impl::continue_handshake()
tls_layer_impl::on_read()
tls_layer_impl::continue_handshake()
TLS handshake: Received SERVER HELLO
TLS handshake: Processed SERVER HELLO
TLS handshake: Received CERTIFICATE
TLS handshake: Processed CERTIFICATE
TLS handshake: Received SERVER KEY EXCHANGE
TLS handshake: Processed SERVER KEY EXCHANGE
tls_layer_impl::failure(-89)
Ошибка:	Ошибка GnuTLS -89: Public key signature verification has failed.
Second (Debian 9, vsftpd 3.0.3)

Code: Select all

tls_layer_impl::client_handshake()
tls_layer_impl::continue_handshake()
TLS handshake: About to send CLIENT HELLO
TLS handshake: Sent CLIENT HELLO
tls_layer_impl::on_send()
tls_layer_impl::continue_handshake()
tls_layer_impl::on_read()
tls_layer_impl::continue_handshake()
tls_layer_impl::on_read()
tls_layer_impl::continue_handshake()
TLS handshake: Received HELLO RETRY REQUEST
TLS handshake: Processed HELLO RETRY REQUEST
TLS handshake: About to send CLIENT HELLO
TLS handshake: Sent CLIENT HELLO
tls_layer_impl::on_read()
tls_layer_impl::continue_handshake()
tls_layer_impl::failure(-12)
Ошибка:	От сервера получено TLS оповещение: Illegal parameter (47)
On client Debain Buster, Filezilla 3.48.0

Previous version work fine (3.46.3).

If these errors are related to use TLSv1.1 and TLSv1.2, note that this patch is not applied in current version Vsftpd on Debian (Ubuntu, etc).
https://serverfault.com/questions/99623 ... sl-tlsv1-1
https://bugs.launchpad.net/ubuntu/+sour ... ug/1804430

User avatar
botg
Site Admin
Posts: 35507
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Error GnuTLS -89 while ftpes:// connection

#6 Post by botg » 2020-05-08 07:13

What are the server addresses? Without stepping through the handshake this is impossible to diagnose.

gaba
504 Command not implemented
Posts: 6
Joined: 2020-04-23 18:00
First name: Edward

Re: Error GnuTLS -89 while ftpes:// connection

#7 Post by gaba » 2020-06-23 18:22

Check
5.135.156.19
51.75.74.153

Now when connect i get error: Illegal parameter (47)
I tryed Filezilla 3.48.1 on Debian Buster and latest Arch.

User avatar
botg
Site Admin
Posts: 35507
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Error GnuTLS -89 while ftpes:// connection

#8 Post by botg » 2020-06-24 07:56

If it exists on your system, what are the contents of the file /etc/gnutls/config ?

gaba
504 Command not implemented
Posts: 6
Joined: 2020-04-23 18:00
First name: Edward

Re: Error GnuTLS -89 while ftpes:// connection

#9 Post by gaba » 2020-06-26 07:22

No, not found on all systems.

User avatar
botg
Site Admin
Posts: 35507
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Error GnuTLS -89 while ftpes:// connection

#10 Post by botg » 2020-06-26 09:40

Could it possibly be a faulty firewall or other TLS inspecting/breaking middleware that cannot handle something in the handshake?

Post Reply