Can't connect with TLS/SSL in version 3.1.0

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
kiekar
504 Command not implemented
Posts: 6
Joined: 2008-07-24 18:36
First name: Karl

Re: Can't connect with TLS/SSL in version 3.1.0

#16 Post by kiekar » 2008-07-24 21:26

Hello,

Has far as I know, my server is working fine. I'm using serv-U 7.2.0.0.
I've been using smartFTP for sometime and I've never had a problem with serv-U.
Why does it work fine with version 3.0.11.1 and not the latest release?

Thanks

Karl

User avatar
botg
Site Admin
Posts: 31894
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Can't connect with TLS/SSL in version 3.1.0

#17 Post by botg » 2008-07-24 21:40

Because previous versions were broken, they failed to act on a problem reported by the TLS library.

kiekar
504 Command not implemented
Posts: 6
Joined: 2008-07-24 18:36
First name: Karl

Re: Can't connect with TLS/SSL in version 3.1.0

#18 Post by kiekar » 2008-07-24 21:58

Hello,

Thanks for your quick responses.

You mentioned that it is "a bug io my server". If thats the case, how should I go about finding the problem?
Is there a way I could look at the serv-U logs to see if SSL/TSL does not shut down properly?

Karl

User avatar
botg
Site Admin
Posts: 31894
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Can't connect with TLS/SSL in version 3.1.0

#19 Post by botg » 2008-07-24 22:03

Not sure it appears in the server log. You might want to contact your server vendor.

kiekar
504 Command not implemented
Posts: 6
Joined: 2008-07-24 18:36
First name: Karl

Re: Can't connect with TLS/SSL in version 3.1.0

#20 Post by kiekar » 2008-07-24 22:10

Hello,

If I were to contact serv-U, what should I tell them?
Should I tell them that I'm using FileZilla version 3.1 and that I am not able to connect to the account using SSL/TSL implicit.

Karl

User avatar
botg
Site Admin
Posts: 31894
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Can't connect with TLS/SSL in version 3.1.0

#21 Post by botg » 2008-07-24 22:23

Yes, and point them towards the following specs:

http://tools.ietf.org/html/rfc4346#page-27
http://rfc.net/rfc4217.html#p21

It clearly shows that a shutdown is required.

dmill
500 Command not understood
Posts: 4
Joined: 2008-07-25 02:52
First name: Dave
Last name: Miller

Re: Can't connect with TLS/SSL in version 3.1.0

#22 Post by dmill » 2008-07-25 03:10

I hear what you're saying botg, but let me add another server type (ProFTPD) on which the same problem is occuring. Also, the specs to which you linked speak to orderly shutdown. Are you saying that the problem starts with the close event and not with the bad packet?

(from the OP's log)

Trace: CTlsSocket::OnSocketEvent(): close event received
Trace: CTransferSocket::OnReceive(), m_transferMode=0
Trace: GnuTLS error -9: A TLS packet with unexpected length was received.
Error: Could not read from transfer socket: ECONNABORTED - Connection aborted

User avatar
botg
Site Admin
Posts: 31894
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Can't connect with TLS/SSL in version 3.1.0

#23 Post by botg » 2008-07-25 06:33

The error code from GnuTLS is a bit misleading. It expects a packet with a nonzero length, but since the connection got closed without orderly shutdown, it gets a "0-length packet".

chromoplastic
500 Syntax error
Posts: 13
Joined: 2006-09-22 02:45

Re: Can't connect with TLS/SSL in version 3.1.0

#24 Post by chromoplastic » 2008-07-25 15:58

It is a bug in your server, it does not perform an orderly SSL/TLS shutdown like it's supposed to do.
It may be, but the fact is that i tried to access the same server with different FTP clients (current try-outs of Flash FXP and CuteFTP) and none of them suffer from this problem. And as i said before, i downgraded Filezilla and i'm now using version 3.0.11.1 without any problem whatsoever.

I contacted the admin of the server running Gene6 and is response was: "no one as any problem connecting to this server, you should use another ftp client". I seems that they've around 300 plus users connecting to this server in a daily basis.

For now i'll stick to version 3.0.11.1.

User avatar
botg
Site Admin
Posts: 31894
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Can't connect with TLS/SSL in version 3.1.0

#25 Post by botg » 2008-07-25 18:36

I contacted the admin of the server running Gene6 and is response was: "no one as any problem connecting to this server, you should use another ftp client".
Such arrogance.

ceturc
500 Command not understood
Posts: 1
Joined: 2008-07-26 00:50
First name: Chuck
Last name: Turco

Re: Can't connect with TLS/SSL in version 3.1.0

#26 Post by ceturc » 2008-07-26 01:24

I'm seeing the same behavior with FileZilla 3.1.0.1 and ProFTPd 1.3.1/OpenSSL 0.9.8b (stock CentOS 5.2).

After upgrading to 3.1.0.1, I am no longer able to communicate with my ProFTPd server via TLS. I get the exact same behavior posted by others.

I scanned the source code for ProFTPd and it's making the right call to OpenSSL's SSL_Shutdown which claims to cleanly send the proper messages.

I've directed my clients to not upgrade beyond 3.0 until this can be sorted out.

I am hopeful you'll reconsider FileZilla's behavior in this situation so we can continue to enjoy broad interoperability with OpenSSL based servers: "be lenient in what you accept and strict in what you send"

bunnyhero
500 Command not understood
Posts: 2
Joined: 2007-11-12 21:40

Re: Can't connect with TLS/SSL in version 3.1.0

#27 Post by bunnyhero » 2008-07-26 04:12

fwiw i emailed the author of vsftpd and he said he would fix it soon.

whale
500 Syntax error
Posts: 16
Joined: 2008-07-24 03:22
First name: Franklin
Last name: Tse

Re: Can't connect with TLS/SSL in version 3.1.0

#28 Post by whale » 2008-07-27 05:05

Not sure if this should be posted in the Server Support Forum...

Actually, FileZilla Server 0.9.26 has the same error and a fix should be required.

Code: Select all

12:43:24   Trace:   CTlsSocket::OnRead()
12:43:24   Trace:   GnuTLS error -9: A TLS packet with unexpected length was received.
12:43:24   Status:   Server did not properly shut down TLS connection
12:43:24   Trace:   CTlsSocket::OnSocketEvent(): close event received
12:43:24   Trace:   CRealControlSocket::OnClose(10053)
12:43:24   Error:   Disconnected from server: ECONNABORTED - Connection aborted
12:43:24   Trace:   CFtpControlSocket::ResetOperation(66)
12:43:24   Trace:   CControlSocket::ResetOperation(66)
So far, FTP 7 for IIS 7 appears to be one of the very few servers that do not have the problem:

Code: Select all

12:48:52   Trace:   CTlsSocket::OnSocketEvent(): close event received
12:48:52   Trace:   CRealControlSocket::OnClose(0)
12:48:52   Error:   Connection closed by server
12:48:52   Trace:   CFtpControlSocket::ResetOperation(66)
12:48:52   Trace:   CControlSocket::ResetOperation(66)

User avatar
botg
Site Admin
Posts: 31894
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Can't connect with TLS/SSL in version 3.1.0

#29 Post by botg » 2008-07-27 08:59

Actually PROT C is even the initial default, so FZ has to fall back.

But that's not the problem in this case. Please configure the server and all attached routers and firewalls as described in the Network Configuration guide.

p-jay
500 Command not understood
Posts: 1
Joined: 2008-07-27 09:23
First name: Peter
Last name: Jansen

Re: Can't connect with TLS/SSL in version 3.1.0

#30 Post by p-jay » 2008-07-27 09:28

Well I'm having exactly the same problem since my upgrade to filezilla 3.1.

I can't properly log on to my proftpd servers. I'm running two different servers with proftpd 1.3.0 and 1.3.1, but I've got exactly the same problem on both systems. Everything works fine without TLS/SSL required though.

Code: Select all

Jul 27 11:02:14 mod_tls/2.1.2[2948]: starting TLS negotiation on data connection
Jul 27 11:02:14 mod_tls/2.1.2[2948]: TLSv1/SSLv3 data connection accepted, using cipher XXXXXXXXXXXXXXX (128 bits)
Jul 27 11:09:28 mod_tls/2.1.2[3009]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
Jul 27 11:09:29 mod_tls/2.1.2[3009]: TLS/TLS-C requested, starting TLS handshake
Jul 27 11:09:29 mod_tls/2.1.2[3009]: TLSv1/SSLv3 connection accepted, using cipher XXXXXXXXXXXXXXXX (128 bits)
Jul 27 11:09:29 mod_tls/2.1.2[3009]: Protection set to Private
Jul 27 11:09:29 mod_tls/2.1.2[3009]: starting TLS negotiation on data connection
Jul 27 11:09:29 mod_tls/2.1.2[3009]: TLSv1/SSLv3 data connection accepted, using cipher XXXXXXXXXXXXXXXX (128 bits)

Code: Select all

257 "/" is the current directory
Commande :	TYPE I
Réponse:	200 Type set to I
Commande :	PASV
Réponse:	227 Entering Passive Mode (xxxxxxxxxxxxxxxxx).
Commande :	LIST
Réponse:	150 Opening ASCII mode data connection for file list
Statut:	Server did not properly shut down TLS connection
Erreur :	Could not read from transfer socket: ECONNABORTED - Connection aborted
Réponse:	226 Transfer complete
Erreur :	Échec à la lecture du contenu du répertoire
What happens is that I can log on but I only see an empty folder. Is there anything I can do in my filezilla config settings?

Post Reply