Wireshark capture of the failed FTP session between camera and FileZilla server appears to contain a fatal coding inconsistency (or does it?)
Please see line 45 and line 50 of the expanded packet. Line 45 says TLSv1 (0x301) and Line 50 says TLSv3 (0x303) and proceeds to supply all sorts of TLS parameters.
Is this coding error enough to get FileZilla to reject the connection?
Code: Select all
1 "Frame 9: 235 bytes on wire (1880 bits), 235 bytes captured (1880 bits) on interface \Device\NPF_{F233B6E4-BE24-4723-AA85-49E87A7B1E81}, id 0"
2 "Ethernet II, Src: Front_Door_Cam (68:39:43:d7:fa:24), Dst: Dicks_HP (20:25:64:0f:ba:cd)"
3 "Internet Protocol Version 4, Src: Front_Door_Cam (192.168.1.52), Dst: Dicks_HP (192.168.1.2)"
4 "Transmission Control Protocol, Src Port: 49388, Dst Port: 21, Seq: 11, Ack: 114, Len: 181"
5 Source Port: 49388
6 Destination Port: 21
7 [Stream index: 0]
8 " [Conversation completeness: Complete, WITH_DATA (31)]"
9 [TCP Segment Len: 181]
10 Sequence Number: 11 (relative sequence number)
11 Sequence Number (raw): 2474896074
12 [Next Sequence Number: 192 (relative sequence number)]
13 Acknowledgment Number: 114 (relative ack number)
14 Acknowledgment number (raw): 1141086550
15 0101 .... = Header Length: 20 bytes (5)
16 " Flags: 0x018 (PSH, ACK)"
17 000. .... .... = Reserved: Not set
18 ...0 .... .... = Nonce: Not set
19 .... 0... .... = Congestion Window Reduced (CWR): Not set
20 .... .0.. .... = ECN-Echo: Not set
21 .... ..0. .... = Urgent: Not set
22 .... ...1 .... = Acknowledgment: Set
23 .... .... 1... = Push: Set
24 .... .... .0.. = Reset: Not set
25 .... .... ..0. = Syn: Not set
26 .... .... ...0 = Fin: Not set
27 [TCP Flags: ·······AP···]
28 Window: 4009
29 [Calculated window size: 64144]
30 [Window size scaling factor: 16]
31 Checksum: 0x8ca6 [unverified]
32 [Checksum Status: Unverified]
33 Urgent Pointer: 0
34 [Timestamps]
35 [Time since first frame in this TCP stream: 0.098337000 seconds]
36 [Time since previous frame in this TCP stream: 0.000000000 seconds]
37 [SEQ/ACK analysis]
38 [iRTT: 0.020591000 seconds]
39 [Bytes in flight: 181]
40 [Bytes sent since last PSH flag: 181]
41 TCP payload (181 bytes)
42 Transport Layer Security
43 TLSv1 Record Layer: Handshake Protocol: Client Hello
44 Content Type: Handshake (22)
45 Version: TLS 1.0 (0x0301)
46 Length: 176
47 Handshake Protocol: Client Hello
48 Handshake Type: Client Hello (1)
49 Length: 172
50 Version: TLS 1.2 (0x0303)
51 Random: 040492e3ecb0567a28b2107000f02e418237e7737bd1c35e67fccd950ebe382f
52 " GMT Unix Time: Feb 19, 1972 20:36:51.000000000 Pacific Standard Time"
53 Random Bytes: ecb0567a28b2107000f02e418237e7737bd1c35e67fccd950ebe382f
54 Session ID Length: 0
55 Cipher Suites Length: 96
56 Cipher Suites (48 suites)
57 Cipher Suite: TLS_DH_DSS_WITH_AES_256_GCM_SHA384 (0x00a5)
58 Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)
59 Cipher Suite: TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (0x00a1)
60 Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
61 Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
62 Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
63 Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA256 (0x0069)
64 Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA256 (0x0068)
65 Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
66 Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
67 Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037)
68 Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036)
69 Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
70 Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
71 Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
72 Cipher Suite: TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (0x00a4)
73 Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
74 Cipher Suite: TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (0x00a0)
75 Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
76 Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
77 Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
78 Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA256 (0x003f)
79 Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA256 (0x003e)
80 Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
81 Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
82 Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031)
83 Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030)
84 Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
85 Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)
86 Cipher Suite: TLS_DH_RSA_WITH_SEED_CBC_SHA (0x0098)
87 Cipher Suite: TLS_DH_DSS_WITH_SEED_CBC_SHA (0x0097)
88 Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
89 Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
90 Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
91 Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
92 Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
93 Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
94 Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
95 Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
96 Cipher Suite: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010)
97 Cipher Suite: TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d)
98 Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
99 Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
100 Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
101 Cipher Suite: TLS_DH_RSA_WITH_DES_CBC_SHA (0x000f)
102 Cipher Suite: TLS_DH_DSS_WITH_DES_CBC_SHA (0x000c)
103 Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
104 Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
105 Compression Methods Length: 1
106 Compression Methods (1 method)
107 Compression Method: null (0)
108 Extensions Length: 35
109 Extension: session_ticket (len=0)
110 Type: session_ticket (35)
111 Length: 0
112 Data (0 bytes)
113 Extension: signature_algorithms (len=22)
114 Type: signature_algorithms (13)
115 Length: 22
116 Signature Hash Algorithms Length: 20
117 Signature Hash Algorithms (10 algorithms)
118 Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
119 Signature Algorithm: SHA512 DSA (0x0602)
120 Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
121 Signature Algorithm: SHA384 DSA (0x0502)
122 Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
123 Signature Algorithm: SHA256 DSA (0x0402)
124 Signature Algorithm: SHA224 RSA (0x0301)
125 Signature Algorithm: SHA224 DSA (0x0302)
126 Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
127 Signature Algorithm: SHA1 DSA (0x0202)
128 Extension: heartbeat (len=1)
129 Type: heartbeat (15)
130 Length: 1
131 Mode: Peer allowed to send requests (1)
132 " [JA3 Fullstring: 771,165-163-161-159-107-106-105-104-57-56-55-54-157-61-53-164-162-160-158-103-64-63-62-51-50-49-48-154-153-152-151-156-60-47-150-5-4-22-19-16-13-10-21-18-15-12-9-255,35-13-15,,]"
133 [JA3: dac10c3caa29f6c6ce48ae4c2fdca84a]
The camera company's engineers suggest that I "turn off" TLS support on FileZilla, to which I respond:
#1 - That is not possible.
#2 - A modern FTP server MUST support TLS security.
What remains unexplained is why Cerebus FTP accepts the connection when it is set to accept only TLSv3. (Perhaps they ignore the coding inconsistency?)