Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL version number incompatibility #5061

Closed
cyberduck opened this issue Jul 20, 2010 · 16 comments
Closed

SSL version number incompatibility #5061

cyberduck opened this issue Jul 20, 2010 · 16 comments
Assignees
Labels
bug fixed ftp-tls FTP (TLS) Protocol Implementation
Milestone

Comments

@cyberduck
Copy link
Collaborator

69459ad created the issue

  • 1/ successfully able to connect to the server via cuteFTP pro mac using FTPS (SSL FTP).
  • 2/ Not able to connect using cyberduck FTP-SSL option. When connection is attempted, cyberduck reports unrecognized SSL message.
  • 3/ I have uploaded the screen shot of cyberduck and the transcript from cuteFTP pro mac for your verification.
    cyberduck error.tiff
Aug 28 12:18:13 mod_tls/2.4.1[27312]: unable to accept TLS connection: protocol error: 
  (1) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Attachments

@cyberduck
Copy link
Collaborator Author

@dkocher commented

After the AUTH TLS we initiate the SSL handshake and expect all responses from the server over SSL.

CuteFTP log:

220 ProFTPD 1.3.3 Server (Xirvik FTP server) [74.63.86.114]
AUTH TLS 
234 AUTH TLS successful 
PBSZ 0 
200 PBSZ 0 successful 
PROT P 
200 Protection set to Private 
USER encd16f3 
331 Password required for encd16f3 
PASS ******** 
230 User encd16f3 logged in 

Cyberduck Log

220 ProFTPD 1.3.3 Server (Xirvik FTP server) [74.63.86.114]
AUTH TLS
234 AUTH TLS successful
USER dkocher

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Updating to ProFTPD 1.3.3a should resolve this issue.

@cyberduck
Copy link
Collaborator Author

69459ad commented

Replying to [comment:4 dkocher]:

Updating to ProFTPD 1.3.3a should resolve this issue.

Updated. Still the same issue. uploaded new screen shots.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Replying to [comment:6 lee.norman@…]:

Can you please post the logging from the ProFTPD server log.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Client SSL debug log.

trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1283016458 bytes = { 23, 106, 142, 243, 242, 72, 216, 24, 63, 73, 99, 221, 250, 71, 187, 59, 195, 104, 10, 136, 140, 14, 237, 51, 71, 156, 246, 233 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods:  { 0 }
***
[write] MD5 and SHA1 hashes:  len = 79
0000: 01 00 00 4B 03 01 4C 79   47 0A 17 6A 8E F3 F2 48  ...K..LyG..j...H
0010: D8 18 3F 49 63 DD FA 47   BB 3B C3 68 0A 88 8C 0E  ..?Ic..G.;.h....
0020: ED 33 47 9C F6 E9 00 00   24 00 04 00 05 00 2F 00  .3G.....$...../.
0030: 35 00 33 00 39 00 32 00   38 00 0A 00 16 00 13 00  5.3.9.2.8.......
0040: 09 00 15 00 12 00 03 00   08 00 14 00 11 01 00     ...............
pool-1-thread-3, WRITE: TLSv1 Handshake, length = 79
[write] MD5 and SHA1 hashes:  len = 107
0000: 01 03 01 00 42 00 00 00   20 00 00 04 01 00 80 00  ....B... .......
0010: 00 05 00 00 2F 00 00 35   00 00 33 00 00 39 00 00  ..../..5..3..9..
0020: 32 00 00 38 00 00 0A 07   00 C0 00 00 16 00 00 13  2..8............
0030: 00 00 09 06 00 40 00 00   15 00 00 12 00 00 03 02  .....@..........
0040: 00 80 00 00 08 00 00 14   00 00 11 4C 79 47 0A 17  ...........LyG..
0050: 6A 8E F3 F2 48 D8 18 3F   49 63 DD FA 47 BB 3B C3  j...H..?Ic..G.;.
0060: 68 0A 88 8C 0E ED 33 47   9C F6 E9                 h.....3G...
pool-1-thread-3, WRITE: SSLv2 client hello message, length = 107
[Raw write]: length = 109
0000: 80 6B 01 03 01 00 42 00   00 00 20 00 00 04 01 00  .k....B... .....
0010: 80 00 00 05 00 00 2F 00   00 35 00 00 33 00 00 39  ....../..5..3..9
0020: 00 00 32 00 00 38 00 00   0A 07 00 C0 00 00 16 00  ..2..8..........
0030: 00 13 00 00 09 06 00 40   00 00 15 00 00 12 00 00  .......@........
0040: 03 02 00 80 00 00 08 00   00 14 00 00 11 4C 79 47  .............LyG
0050: 0A 17 6A 8E F3 F2 48 D8   18 3F 49 63 DD FA 47 BB  ..j...H..?Ic..G.
0060: 3B C3 68 0A 88 8C 0E ED   33 47 9C F6 E9           ;.h.....3G...
[Raw read]: length = 5
0000: 35 35 30 20 54                                     550 T
pool-1-thread-3, handling exception: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
pool-1-thread-3, SEND TLSv1 ALERT:  fatal, description = unexpected_message
pool-1-thread-3, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 0A                               .......
pool-1-thread-3, called closeSocket()
pool-1-thread-3, called close()
pool-1-thread-3, called closeInternal(true)
2010-08-28 19:27:38,627 [pool-1-thread-3] ERROR ch.cyberduck.core.ftp.FTPSession - Connection attempt canceled

@cyberduck
Copy link
Collaborator Author

69459ad commented

hi - uploaded the log, containing both failed FTP TLS and successful ones using different client. This is a sample extract of a failed login attempt:

Aug 28 12:18:09 mod_tls/2.4.1[27312]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
Aug 28 12:18:12 mod_tls/2.4.1[27312]: TLS/TLS-C requested, starting TLS handshake
Aug 28 12:18:13 mod_tls/2.4.1[27312]: unable to accept TLS connection: protocol error: 
  (1) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Aug 28 12:18:13 mod_tls/2.4.1[27312]: TLS/TLS-C negotiation failed on control channel
Aug 28 18:47:57 mod_tls/2.4.1[24384]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)

This is a successful one:

Aug 30 11:49:16 mod_tls/2.4.1[7767]: Protection set to Private
Aug 30 11:49:17 mod_tls/2.4.1[7767]: starting TLS negotiation on data connection
Aug 30 11:49:17 mod_tls/2.4.1[7767]: TLSv1/SSLv3 renegotiation accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
Aug 30 11:49:17 mod_tls/2.4.1[7767]: TLSv1/SSLv3 data connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)

The last entries is using a firefox ftp plugin(!!) via AUTH TLS connection.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Can you check the server log for any messages (usually proftpd.log).

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Please check your TLSProtocol setting in the server configuration file to have the value SSLv23.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Added reference in wiki to ProFTPd compatibility notes.

@cyberduck
Copy link
Collaborator Author

69459ad commented

Hi - Tried and still not able to connect. I am just wonder (in absence of real knowledge) why SSL got much to do with TLS. issue still not resolved.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Replying to [comment:13 lee.norman@…]:

Hi - Tried and still not able to connect. I am just wonder (in absence of real knowledge) why SSL got much to do with TLS. issue still not resolved.

Please contact your server administrator about the configuration change needed. We are still looking into a resolution here that could work with any configuration.

@cyberduck
Copy link
Collaborator Author

69459ad commented

Hi, Just to be sure. The configuration have been changed and I have retested and cyberduck doesn't connect. The change made was setting TLSProtocol to SSLv23. if there is any way that we can make cyberduck connect and transfer encrypted using TLS, love to hear it.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Replying to [comment:15 lee.norman@…]:

Hi, Just to be sure. The configuration have been changed and I have retested and cyberduck doesn't connect. The change made was setting TLSProtocol to SSLv23. if there is any way that we can make cyberduck connect and transfer encrypted using TLS, love to hear it.

What does the ProFTPd log say?

@cyberduck
Copy link
Collaborator Author

@dkocher commented

As of edcf6ec we should be interoperable with the TLSProtocol TLSv1 option. Disabled SSLv2 for all SSL sockets.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Reverted in 4fa58a6.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Fix commited in dd07a71 when running on JRE 6 or later.

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug fixed ftp-tls FTP (TLS) Protocol Implementation
Projects
None yet
Development

No branches or pull requests

2 participants