TLS packet with unexpected length - *not* server reset prob

[Keith.Fearnley]

Hi, I am trying to connect to a client's FTP server - a new build Windows Server 2008 machine, not sure what the FTP server is, but probably built-in if that's sensible to assume.

I have been told to use FTPES (their support people also use FileZilla, so we are talking the same language) and I've downgraded to their version of FileZilla to be certain (v3.0.11.1).

When I try to connect, it seems to fail at the start of the secure negotiations... afetr the server banner, we see...
------------------------------------
Trace: CFtpControlSocket::SendNextCommand()
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 AUTH command ok. Expecting TLS Negotiation.
Status: Initializing TLS...
Trace: CTlsSocket::Handshake()
Trace: GnuTLS error -9: A TLS packet with unexpected length was received.
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Error: Could not connect to server
-------------------------------------

Any ideas, please?
The client's support team can repeatedly connect using FileZilla with no problems at all, so I don't think it is the server resetting problem noted in the other threads linked with the "unexpected length" message, though I could be wrong.

This is the first time I've tried using SFTP (rather than plan insecure FTP) so please don't assume anything, it could be a dumb error in setting things up on my part.

Thanks for any help.

[botg]

3.0.11.1 is heavily outdated. Please note that we cannot possibly support such outdated versions.

This is the first time I've tried using SFTP (rather than plan insecure FTP) [...]

Do you mean FTPS? SFTP is yet another protocol.

[Keith.Fearnley]

Thanks for the reply and sorry about my unclear terminology.
I am using the FTPES server type ("FTPES - FTP over explicit TLS/SSL") within FileZIlla, with logon type "normal" and everything else at default values, I think.
I was using this version because the latest version I started with failed and the site administrator asked me to use this older version, since it matched the version they were successfully using.

I have re-installed the latest 3.3.2 version and retried - the log from this is below (with 'debug' level logging):
--------------
...
Response: 220 *****************************************************
Trace: CFtpControlSocket::SendNextCommand()
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 AUTH command ok. Expecting TLS Negotiation.
Status: Initializing TLS...
Trace: CTlsSocket::Handshake()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::Failure(-9, 10053)
Error: GnuTLS error -9: A TLS packet with unexpected length was received.
Trace: CControlSocket::DoClose(64)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Error: Could not connect to server
Trace: CFileZillaEnginePrivate::ResetOperation(66)
------------------------------

Thanks again for any help.

[botg]

My first guess would be a firewall sabotaging the connection.

Is the server reachable through the internet? If so, mind sharing its address so that I can try myself?

[Keith.Fearnley]

Sorry, I can't do that.
If it was a problem with the firewall at our end (since the server admins say that they can get in from within and outside their domain), what are the likely ports that would need to be opened, please? The documentation I looked at seemed to concentrate on opening up ports for the server, or I may have misunderstood.

[botg]

Everything you need to know is mentioned in the Network Configuration guide. Note that it is your server administrator's task to make sure the server is working properly, a proper server does not need any special client configuration.

What FTP server software are you using?

[Keith.Fearnley]

I'm not 100% sure but I think it would be whatever comes with Windows / IIS? Awaiting response from them to confirm.

The thing that baffles me is that they can get in but I can't, I thought this would point perhaps to my company's firewall needing configuration rather than the server itself?

To try and clarify, we have...

FTP Server (our client)
Their firewall, etc.
Internet
Our firewall, etc.
My client PC

They say (though I cannot presonally confirm) that they can access the server from a parallel position to me (outside their domain, etc.).

Is there any further information on the problem to which the error message relates?
I understand the (related?) problem with the server/connection reset causing this that is explained very well elsewherehere, but could a port not being open in their or my firewall also cause this error message?

[botg]

I'm not 100% sure but I think it would be whatever comes with Windows / IIS? Awaiting response from them to confirm.

I don't think IIS even supports FTP over TLS.

The thing that baffles me is that they can get in but I can't, I thought this would point perhaps to my company's firewall needing configuration rather than the server itself?

Quite possible, hard to tell without actually having access to the networks in question.

I understand the (related?) problem with the server/connection reset causing this that is explained very well elsewherehere, but could a port not being open in their or my firewall also cause this error message?

See above.

[Keith.Fearnley]

They are running Windows 2008 R2 IIS 7.5 FTP Service.

I now have further information - another user on another machine at my site can get through with no problems. I guess this puts the problem squarely at my laptop. The other PC is on the same LAN, so going through the same infrastructure at our end and looking for the same remote server and using the same version of FileZilla with the same settings.

So the question probably morphs into... "What settings or problems on my local machine could cause FileZilla to complain with that error message?"

I've stopped my local website and various services that I might expect to be using various ports... is there something I can use to check what ports my PC might be denying to FileZilla or any security settings that might interfere?

Sorry about any previous confusion or misdirection and continued thanks for your attention on this.

[botg]

Are you using any firewalls, virus scanners or other so-called security solutions? What happens if you completely uninstall them for a test?

[hcmnttan]

Hi there,

The same error occured to me.
I use my laptop connect to network by an RJ45 cab, I could connect to FTP server suscessfully. But when using wireless, I got below error code:

14:29:22 Status: Connecting to 128.235.107.54:21...
14:29:22 Status: Connection established, waiting for welcome message...
14:29:22 Trace: CFtpControlSocket::OnReceive()
14:29:22 Response: 220 Microsoft FTP Service
14:29:22 Trace: CFtpControlSocket::SendNextCommand()
14:29:22 Command: AUTH TLS
14:29:22 Trace: CFtpControlSocket::OnReceive()
14:29:22 Response: 234 AUTH command ok. Expecting TLS Negotiation.
14:29:22 Status: Initializing TLS...
14:29:22 Trace: CTlsSocket::Handshake()
14:29:22 Trace: CTlsSocket::ContinueHandshake()
14:29:22 Trace: CTlsSocket::Failure(-9, 10053)
14:29:22 Error: GnuTLS error -9: A TLS packet with unexpected length was received.
14:29:22 Trace: CControlSocket::DoClose(64)

Seem that the authentication of wireless checkpoint that affected to TLS packet length or somthing like that..
I am using Windows 2008 R2 IIS 7.5 FTP Service too, and the client I am using is FileZilla_3.3.5.1

Anyone can help me ?

Thanks

[hakio]

Hi,

We are experiencing the same error when trying to do a FTPES connection. Did you manage to solve the issue?

[sam_ok]

I am trying to use FileZilla client to connect to z/OS V1.8 server. There are two results.

Case 1: Workstation is Windows 7, using FileZilla client v3.3.5.1

Here are the console messages:

Status: Connecting to 192.168.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Trace: CFtpControlSocket::OnReceive()
Response: 220-FTPD1 IBM FTP CS V1R8 at DEVL, 10:04:17 on 2011-03-25.
Trace: CFtpControlSocket::OnReceive()
Response: 220 Connection will close if idle for more than 5 minutes.
Trace: CFtpControlSocket::SendNextCommand()
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 Security environment established - ready for negotiation
Status: Initializing TLS...
Trace: CTlsSocket::Handshake()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::OnSend()
Trace: CTlsSocket::OnRead()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::OnRead()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::OnSocketEvent(): close event received
Trace: CRealControlSocket::OnClose(0)
Trace: CControlSocket::DoClose(64)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Error: Could not connect to server
Trace: CFileZillaEnginePrivate::ResetOperation(66)
Status: Waiting to retry...
Trace: CControlSocket::DoClose(64)
Trace: CControlSocket::DoClose(64)
Status: Connecting to 192.168.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Trace: CFtpControlSocket::OnReceive()
Response: 220-FTPD1 IBM FTP CS V1R8 at DEVL, 10:04:41 on 2011-03-25.
Trace: CFtpControlSocket::OnReceive()
Response: 220 Connection will close if idle for more than 5 minutes.
Trace: CFtpControlSocket::SendNextCommand()
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 Security environment established - ready for negotiation
Status: Initializing TLS...
Trace: CTlsSocket::Handshake()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::OnSend()
Trace: CTlsSocket::OnRead()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::OnRead()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::OnRead()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::Failure(-9, 10053)
Error: GnuTLS error -9: A TLS packet with unexpected length was received.
Status: Server did not properly shut down TLS connection
Trace: CTlsSocket::OnSocketEvent(): close event received
Trace: CRealControlSocket::OnClose(10053)
Trace: CControlSocket::DoClose(64)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Error: Could not connect to server
Trace: CFileZillaEnginePrivate::ResetOperation(66)

Case 2: Workstation is WINXP Professional SP3, using FileZilla client v3.3.5.1

Status: Connecting to 192.168.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Response: 220-FTPD1 IBM FTP CS V1R8 at DEVL, 10:29:44 on 2011-03-25.
Response: 220 Connection will close if idle for more than 5 minutes.
Command: AUTH TLS
Response: 234 Security environment established - ready for negotiation
Status: Initializing TLS...
Status: Verifying certificate...
Command: USER DRVUSER
Status: TLS/SSL connection established.
Response: 331 Send password please.
Command: PASS ********
Response: 230 DRVUSER is logged on. Working directory is "DRVUSER.".
Command: SYST
Response: 215 MVS is the operating system of this server. FTP Server is running on z/OS.
Command: FEAT
Response: 211- Extensions supported
Response: AUTH TLS
Response: PBSZ
Response: PROT
Response: 211 End
Command: PBSZ 0
Response: 200 Protection buffer size accepted
Command: PROT P
Response: 200 Data connection protection set to private
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "'DRVUSER.'" is working directory.
Command: TYPE I
Response: 200 Representation type is Image
Command: PASV
Response: 227 Entering Passive Mode (192,168,xxx,xxx,4,4)
Command: LIST
Response: 125 List started OK
Response: 250 List completed successfully.
Status: Directory listing successful

Case 1 failed but case 2 was successful.

I installed the same server certificate generated from z/OS in the above two workstations. I concluded that there is problem for FileZilla client running in Windows 7 using the protocol 'FTPES - FTP over explicit TLS/SSL' to connect to z/OS.

Hope FileZilla can fix the problem as soon as possible.

[boco]

Hope FileZilla can fix the problem as soon as possible.

Nothing to fix in FileZilla. Most probably the Win7 firewall is the problem.

[sam_ok]

Hope FileZilla can fix the problem as soon as possible.

Nothing to fix in FileZilla. Most probably the Win7 firewall is the problem.

I disabled my Windows 7 firewall settings as follows:

My Windows 7 firewall settings

WINS7 Firewall Settings.jpg (85.84 KiB) Viewed 44803 times

Then I tried using FileZilla v3.3.5.1 to connect to z/OS host again. It still failed with the following console messages:

Trace: CControlSocket::DoClose(64)
Trace: CControlSocket::DoClose(64)
Status: Connecting to 192.168.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Trace: CFtpControlSocket::OnReceive()
Response: 220-FTPD1 IBM FTP CS V1R8 at DEVL, 02:12:20 on 2011-03-28.
Trace: CFtpControlSocket::OnReceive()
Response: 220 Connection will close if idle for more than 5 minutes.
Trace: CFtpControlSocket::SendNextCommand()
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 Security environment established - ready for negotiation
Status: Initializing TLS...
Trace: CTlsSocket::Handshake()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::OnSend()
Trace: CTlsSocket::OnRead()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::OnRead()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::OnSocketEvent(): close event received
Trace: CRealControlSocket::OnClose(0)
Trace: CControlSocket::DoClose(64)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Error: Could not connect to server
Trace: CFileZillaEnginePrivate::ResetOperation(66)
Status: Waiting to retry...
Trace: CControlSocket::DoClose(64)
Trace: CControlSocket::DoClose(64)
Status: Connecting to 192.168.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Trace: CFtpControlSocket::OnReceive()
Response: 220-FTPD1 IBM FTP CS V1R8 at DEVL, 02:12:44 on 2011-03-28.
Trace: CFtpControlSocket::OnReceive()
Response: 220 Connection will close if idle for more than 5 minutes.
Trace: CFtpControlSocket::SendNextCommand()
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 Security environment established - ready for negotiation
Status: Initializing TLS...
Trace: CTlsSocket::Handshake()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::OnSend()
Trace: CTlsSocket::OnRead()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::OnRead()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::OnSocketEvent(): close event received
Trace: CRealControlSocket::OnClose(0)
Trace: CControlSocket::DoClose(64)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Error: Could not connect to server
Trace: CFileZillaEnginePrivate::ResetOperation(66)

It proved that the connection problem should not relate to WIN7 firewall blocking.

Please help.