Is there a way to turn off the TLS default in the latest Filezilla?

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
laurareeling
500 Command not understood
Posts: 3
Joined: 2015-01-08 22:01
First name: Laura
Last name: Clifford

Is there a way to turn off the TLS default in the latest Filezilla?

#1 Post by laurareeling » 2015-01-10 15:51

I get errors trying to connect to the site I ftp to most frequently and all the admin will tell me is to 'turn it off.' I haven't been able to figure out a way to do this....

Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Error: GnuTLS error -12: A TLS fatal alert has been received.
Error: Could not connect to server
Status: Waiting to retry...

Status: Connection established, waiting for welcome message...
Response: 220 ProFTPD 1.3.5 Server
Command: AUTH TLS
Response: 234 AUTH TLS successful
Status: Initializing TLS...
Error: GnuTLS error -12: A TLS fatal alert has been received.
Error: Could not connect to server

User avatar
boco
Contributor
Posts: 24784
Joined: 2006-05-01 03:28
Location: Germany

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#2 Post by boco » 2015-01-10 15:59

1. In the Site Manager entry for your server, set Encryption to 'Plain FTP'.
2. Since plain FTP is insecure, demand a fix from them.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

laurareeling
500 Command not understood
Posts: 3
Joined: 2015-01-08 22:01
First name: Laura
Last name: Clifford

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#3 Post by laurareeling » 2015-01-10 16:08

Thanks - I haven't gotten strong impressions on their technical abilities.

User avatar
boco
Contributor
Posts: 24784
Joined: 2006-05-01 03:28
Location: Germany

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#4 Post by boco » 2015-01-10 16:18

Yeah, that's what we deal with right now: Lazy bum server admins. The problem is that users get burned for their laziness...
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

laurareeling
500 Command not understood
Posts: 3
Joined: 2015-01-08 22:01
First name: Laura
Last name: Clifford

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#5 Post by laurareeling » 2015-01-10 20:42

Great - they're refusing to do anything because it 'will break it for everyone else.'

mattauckland
504 Command not implemented
Posts: 6
Joined: 2015-01-19 23:13
First name: Matt
Last name: Auckland
Location: UK
Contact:

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#6 Post by mattauckland » 2015-01-19 23:19

In defence of server admins FileZilla was working just fine, until I was notified of an update. Now I'm also getting the same TLS error.

So as it was working perfectly prior to the update, and isn't now, that would suggest the fault is with a modification to FileZilla. So the question is, what has been modified with TLS in FileZilla that could have caused this issue?

User avatar
botg
Site Admin
Posts: 32472
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#7 Post by botg » 2015-01-20 09:02

laurareeling wrote:Great - they're refusing to do anything because it 'will break it for everyone else.'
How is fixing a server that definitely isn't working correctly breaking it for "everyone" else?
So as it was working perfectly prior to the update, and isn't now, that would suggest the fault is with a modification to FileZilla. So the question is, what has been modified with TLS in FileZilla that could have caused this issue?
Nothing has been modified with TLS. Before you simply were not using TLS at all. Now you are if the server says it supports it.

mattauckland
504 Command not implemented
Posts: 6
Joined: 2015-01-19 23:13
First name: Matt
Last name: Auckland
Location: UK
Contact:

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#8 Post by mattauckland » 2015-01-20 15:47

Well if anyone else comes across this issue, and runs a server or VPS with Plesk 12 and Linux (CentOS 6.5 64bit in my case), this is how you can resolve it:-


Login to your server via SSH (terminal) or using the Digital Ocean console, and enter the following command to edit the ProFTP configuration file:

Code: Select all

vi /etc/proftpd.conf
Enter Insert mode by pressing the Escape key to make sure your are in Command mode, followed by pressing the A key to enter Insert mode.

Move to the bottom of the file using the cursor keys, and add the following lines of code:

Code: Select all

# TLS
<IfModule mod_tls.c>
   TLSEngine on
   TLSLog /var/log/tls.log
   TLSProtocol SSLv3 TLSv1
   TLSRequired off
   TLSOptions NoCertRequest
   TLSRSACertificateFile /usr/local/psa/admin/conf/httpsd.pem
   TLSRSACertificateKeyFile /usr/local/psa/admin/conf/httpsd.pem
   TLSVerifyClient off
   TLSRenegotiate required off
</IfModule>
Finally we need to save and exit. Do this by pressing the Escape key to enter Command mode, and then type :wq and press Enter.

Then for the changes to take effect, reboot the server using this command:
shutdown -r now
Or reboot proftpd only using the following command:

Code: Select all

/etc/init.d/xinetd restart

Hope that helps someone else, as it took me a little while to work out what was needed. Incidentally this solution doesn't effect non-TLS FTP connections, so won't cause issues to other users.

xeon
226 Transfer OK
Posts: 127
Joined: 2009-08-19 03:18

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#9 Post by xeon » 2015-01-20 17:18

mattauckland wrote: TLSProtocol SSLv3
TLSRenegotiate required off
These are insecure options.
mattauckland wrote: TLSRequired off
TLSVerifyClient off
Unnecessary, as they're already off by default.
mattauckland wrote: Then for the changes to take effect, reboot the server using this command:

shutdown -r now
Completely unnecessary to reboot the entire server, or even the proftpd process for that matter. You could simply send the HUP signal to reload the configuration.

mattauckland
504 Command not implemented
Posts: 6
Joined: 2015-01-19 23:13
First name: Matt
Last name: Auckland
Location: UK
Contact:

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#10 Post by mattauckland » 2015-01-22 00:07

Those steps are actually part of a larger configuration in a guide I wrote, and the shutdown/restart is needed.

The other settings are taken from PROFTPD's website, part of the guide to enabling TLS. So if it is wrong, you best let them know.

User avatar
boco
Contributor
Posts: 24784
Joined: 2006-05-01 03:28
Location: Germany

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#11 Post by boco » 2015-01-22 04:23

SSLv3 is deprecated, FileZilla doesn't support it anymore. That is a reason for getting TLS Fatal error -12.

Session renegotiation should be enabled.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

User avatar
botg
Site Admin
Posts: 32472
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#12 Post by botg » 2015-01-22 10:24

boco wrote:Session renegotiation should be enabled.
Renegotiation isn't needed. Are you confusing it with session reuse/resumption? Use of session reuse/resumption is very much desired for both security and performance reasons.

mattauckland
504 Command not implemented
Posts: 6
Joined: 2015-01-19 23:13
First name: Matt
Last name: Auckland
Location: UK
Contact:

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#13 Post by mattauckland » 2015-01-22 15:14

Actually the reason for the TLS Fatal error -12 was that TLS wasn't enabled in the config.

I resolved the fatal error by adding TLS to PROFTPD.

User avatar
boco
Contributor
Posts: 24784
Joined: 2006-05-01 03:28
Location: Germany

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#14 Post by boco » 2015-01-23 05:14

That is very poor for a server configuration. If TLS is disabled it MUST reject the AUTH commands. One to tell to the ProFTPd people, I guess.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

stefl0n
500 Command not understood
Posts: 1
Joined: 2015-01-23 09:00

Re: Is there a way to turn off the TLS default in the latest Filezilla?

#15 Post by stefl0n » 2015-01-23 09:33

Why are users forced to use TLS as default now?
I'm not using that unsecure site manager as passwords are stored unencrypted (!) in a plain xml/text file, easy accessible for malware and other bad guys. So why encrypt the connection at all then?!

I'm using FileZilla via cli within KeePass. The Connection type can be controlled with the "protocol" here in some way (sftp://, ftps://, ftpes://) but "ftp://" has to be plain FTP !
There has to be at least an option in the settings to control this automatic behaviour.

Changing the security settings for all ftp sites in the world is no reasonable way.

I'm now switching back to v3.9 until this gets fixed.

Thanks!

Post Reply