A call to SSPI failed, see inner exception

[zharris6]

Hello -

I am trying to make a Explicit SSL request to my UNIX based ftpd.

                conn.EncryptionMode = FtpEncryptionMode.Explicit;
                conn.SslProtocols = SslProtocols.Tls12;

I receive the exception "A call to SSPI failed, see inner exception"

The ftp server logs give me this :

Failed TLS negotiation on control channel, disconnected. (SSL_accept(): (1) error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher)

Any insight you can provide would be greatly appreciated!

[zharris6]

Didnt read Documentation, Going to try that first :)

[zharris6]

I followed this post as mentioned in the documentation.:
http://stackoverflow.com/questions/13697230/ssl-stream-failed-to-authenticate-as-client-in-apns-sharp

I generated my own PFX cert, and registered it like so:
https://arashnorouzi.wordpress.com/2011/04/13/sending-apple-push-notifications-in-asp-net-%E2%80%93-part-3-apns-certificates-registration-on-windows/

Despite all this, I am getting exactly what you outlined in the docs

Exception: "A call to SSPI failed, see inner exception."

 Inner Message = "The message received was unexpected or badly formatted"

Any help would be greatly appreciated.

PS: I have a working POC of your application with SOCKS5 support. Look out for it once I tidy it up!

Here is my config settings:

                conn.Credentials = new NetworkCredential(SiUser, SiPass);
                conn.DataConnectionType = FtpDataConnectionType.PASV;
                conn.EncryptionMode = FtpEncryptionMode.Explicit;
                conn.SocketPollInterval = 5000;

                conn.Host = SiIp;
                conn.Port = SiPort;
                conn.ValidateCertificate += (control, e) => {
                    e.Accept = true;
                };

[robinrodricks]

I don't have an SSL FTP test server to check this out. Perhaps you can share credentials to yours (if its a test server) via email, or send me a guide to setting it up on whichever OS it works best? Currently I'm using Windows 7 x64 and have no Unix box nearby, and no VPS/remote box either.

[zharris6]

This worked fine with the same server, last week. The server hasen't changed.

I don't understand why. Maybe I am missing a setting i had before? Or something with my certs?

I have tried everything under the sun to try and get this to work.

My last attempt was generating a client .p12 cert and using that.

https://gist.github.com/mtigas/952344

Thank you in advance for your support.

[zharris6]

I was able to solve this by totally by passing MS SSPI.

After days and days of trying every cert known to man, I am starting to think it is a bug with SSPI and newer /stronger CERTS.

I implemented OpenSSL and was able to log in fine.

If you would like more information, please let me know.

I would be happy to keep testing SSPI, however, if it will benefit others.

Also i can try to impliment OpenSSL handshakes into FluentFTP if there is a need.

[robinrodricks]

I lost you. You "implemented OpenSSL"? I don't understand what's going on.

[zharris6]

I Implemented this package:

https://github.com/openssl-net/openssl-net

For whatever reason, SSPI cannot successfully authenticate with my server.

My guess is because the UNIX based server, that is using OpenSSL for its negotiation.

I am really not 100% sure.

Have you had a chance to try the test server I setup?

[robinrodricks]

No, not yet. Maybe later this week or next week. If its a specialized use case then I'd prefer not testing it.

[fernandovictorTI]

Hi @zharris6,
Could you show an example of how you implemented the package openssl-net.
https://github.com/openssl-net/openssl-net

[zharris6]

I am several versions behind at this point. But here is the ActivateEncrpytion method using https://github.com/openssl-net/openssl-net. For the record, I do not believe a Linux/Unix based server using OpenSSL is a specialized use case at all.

 public void ActivateEncryption(string targethost, X509CertificateCollection clientCerts, SslProtocols sslProtocols)
       {
           if (!IsConnected)
               throw new InvalidOperationException("The FtpSocketStream object is not connected.");

           if (m_netStream == null)
               throw new InvalidOperationException("The base network stream is null.");

           if (m_sslStream != null)
               throw new InvalidOperationException("SSL Encryption has already been enabled on this stream.");

           try
           {
               DateTime auth_start;
               TimeSpan auth_time_total;

               m_sslStream = new OpenSSL.SSL.SslStream(NetworkStream, true, null, null);

               auth_start = DateTime.Now;

               var certlist = new OpenSSL.X509.X509List();

               var chan = new OpenSSL.X509.X509Chain();

              var cert = new OpenSSL.X509.X509Certificate();

               chan.Add(cert); 
               certlist.Add(cert);


               m_sslStream.AuthenticateAsClient(targethost, certlist, chan, OpenSSL.SSL.SslProtocols.Default, OpenSSL.SSL.SslStrength.All, false);

               auth_time_total = DateTime.Now.Subtract(auth_start);
               FtpTrace.WriteLine("Time to activate encryption: {0}h {1}m {2}s, Total Seconds: {3}.",
                   auth_time_total.Hours,
                   auth_time_total.Minutes,
                   auth_time_total.Seconds,
                   auth_time_total.TotalSeconds);
           }
           catch (AuthenticationException ex)
           {
               // authentication failed and in addition it left our 
               // ssl stream in an unsuable state so cleanup needs
               // to be done and the exception can be re-thrown for
               // handling down the chain.
               Close();
               throw ex;
           }
       }

[fernandovictorTI]

Thank you @zharris6 , when I arrive at the company I will test.

[MrArca9]

I'm looking for more information with this issue;

There's still a plethora of companies running windows 7 on their devices where SSPI is having issues with tls 1.2. I'm at the point where I have to circumvent SSPI all together because the companies can't/won't upgrade the systems.

I'm looking to either use https://www.nuget.org/packages/System.Security.Cryptography.OpenSsl/ because of maintainability, but at this point i'll take anything that works.