Opened 17 years ago
Last modified 10 years ago
#1294 closed Bug report
TLS handshake failure with MVS server
| Reported by: | r0br1b | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | FileZilla Client |
| Keywords: | Cc: | r0br1b, Tim Kosse | |
| Component version: | Operating system type: | ||
| Operating system version: |
Description
The messages below are received when trying to connect to an IBM zOS FTP server using explicit TLS (the product SmartFTP can successfully establish a secure connection):
Status: Resolving IP-Address for xxx.xxx.xxx
Trace: ControlSocket.cpp(948): CRealControlSocket::ContinueConnect(01387750) m_pEngine=0112BE18 caller=013A6508
Status: Connecting to nnn.nnn.nnn.nnn:21...
Status: Connection established, waiting for welcome message...
Trace: CFtpControlSocket::OnReceive()
Response: 220-FTPD1 IBM FTP CS V1R8 at xxx.xxx.xxx, 10:18:13 on 2007-09-23.
Trace: CFtpControlSocket::OnReceive()
Response: 220 Connection will close if idle for more than 5 minutes.
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 Security environment established - ready for negotiation
Status: Initializing TLS...
Trace: CTlsSocket::Handshake()
Command: USER xxx
Trace: CTlsSocket::OnRead()
Trace: CTlsSocket::Handshake()
Trace: CTlsSocket::OnRead()
Trace: CTlsSocket::Handshake()
Trace: GnuTLS alert 40: Handshake failed
Trace: GnuTLS error -12: A TLS fatal alert has been received.
Trace: CRealControlSocket::OnClose()
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Error: Could not connect to server
I can provide the ip address to the server in case you wish to try this out.
Change History (10)
comment:1 by , 17 years ago
comment:3 by , 17 years ago
The connection gets closed by the server with a "Handshake failed" alert without further information.
Is there any message in the server logs? (You might have to turn on verbose logging on your server)
comment:4 by , 17 years ago
The following trace entries might be of interest:
BPXF024I (FTPD) Sep 24 10:05:05 ftps 50397209 : FR0389 authClient: 970
secure_socket_open()
BPXF024I (FTPD) Sep 24 10:05:05 ftps 50397209 : FR0437 authClient: 971
cipherspecs = 352F03060A09010204
BPXF024I (FTPD) Sep 24 10:05:05 ftps 50397209 : FR0460 authClient: 972
secure_socket_init()
BPXF024I (FTPD) Sep 24 10:05:05 ftps 50397209 : FU0441 secureRead: 973
recv() for: 5
BPXF024I (FTPD) Sep 24 10:05:08 ftps 50397209 : FU0443 secureRead: 974
(cs) got: 5
BPXF024I (FTPD) Sep 24 10:05:08 ftps 50397209 : FU0441 secureRead: 975
recv() for: 61
BPXF024I (FTPD) Sep 24 10:05:08 ftps 50397209 : FU0443 secureRead: 976
(cs) got: 61
BPXF024I (FTPD) Sep 24 10:05:08 ftps 50397209 : FU0520 secureWrite: 977
send() for: 7
BPXF024I (FTPD) Sep 24 10:05:08 ftps 50397209 : FU0522 secureWrite: 978
(cs) sent: 7
BPXF024I (FTPD) Sep 24 10:05:09 ftps 50397209 : FR0476 authClient: 979
init failed with rc = 402 (No SSL cipher specifications)
The server is defined with the following ciphersuite definitions:
CIPHERSUITE SSL_AES_256_SHA
CIPHERSUITE SSL_AES_128_SHA
CIPHERSUITE SSL_RC4_MD5_EX
CIPHERSUITE SSL_RC2_MD5_EX
CIPHERSUITE SSL_3DES_SHA
CIPHERSUITE SSL_DES_SHA
CIPHERSUITE SSL_NULL_MD5
CIPHERSUITE SSL_NULL_SHA
CIPHERSUITE SSL_RC4_MD5
comment:5 by , 17 years ago
Does the server even support SSLv3 or TLSv1 or does it just support the old SSLv2?
comment:6 by , 17 years ago
Here is a link to IBM's documentation for the server in use:
http://preview.tinyurl.com/33jn89
The SSLV2 option is NOT in effect.
comment:7 by , 17 years ago
Possible to enable implicit SSL/TLS? (Port 990 by default)
Without it is very difficult/impossible to use the diagnostics tools.
comment:8 by , 17 years ago
Implicit TLS is supposed to be active by default but I can't get it to work.
I found the following in IBM's documentation:
Restrictions:
- Only RSA key exchange is supported.
- The following algorithms are subject to export regulations and might not be available to your system:
o Triple DES encryption, SHA authentication
o RC4 (128-bit) encryption, SHA authentication
o RC4 (128-bit) encryption, MD5 authentication
o AES (128-bit and 256-bit) encryption, SHA authentication
If this is the case, could that be the reason why Filezilla doesn't work?
comment:9 by , 17 years ago
Maybe, I have no idea. Implicit SSL/TLS needs to be available, then I could create some meaningful dumps to analyze and potentially forward to the GnuTLS devs.
comment:10 by , 17 years ago
This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).
Temporary access to the server would be very useful.