Opened 12 years ago

Last modified 6 years ago

#1294 closed Bug report

TLS handshake failure with MVS server

Reported by: r0br1b Owned by:
Priority: normal Component: FileZilla Client
Keywords: Cc: r0br1b, Tim Kosse
Component version: Operating system type:
Operating system version:

Description

The messages below are received when trying to connect to an IBM zOS FTP server using explicit TLS (the product SmartFTP can successfully establish a secure connection):

Status: Resolving IP-Address for xxx.xxx.xxx
Trace: ControlSocket.cpp(948): CRealControlSocket::ContinueConnect(01387750) m_pEngine=0112BE18 caller=013A6508
Status: Connecting to nnn.nnn.nnn.nnn:21...
Status: Connection established, waiting for welcome message...
Trace: CFtpControlSocket::OnReceive()
Response: 220-FTPD1 IBM FTP CS V1R8 at xxx.xxx.xxx, 10:18:13 on 2007-09-23.
Trace: CFtpControlSocket::OnReceive()
Response: 220 Connection will close if idle for more than 5 minutes.
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 Security environment established - ready for negotiation
Status: Initializing TLS...
Trace: CTlsSocket::Handshake()
Command: USER xxx
Trace: CTlsSocket::OnRead()
Trace: CTlsSocket::Handshake()
Trace: CTlsSocket::OnRead()
Trace: CTlsSocket::Handshake()
Trace: GnuTLS alert 40: Handshake failed
Trace: GnuTLS error -12: A TLS fatal alert has been received.
Trace: CRealControlSocket::OnClose()
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Error: Could not connect to server

I can provide the ip address to the server in case you wish to try this out.

Change History (10)

comment:1 Changed 12 years ago by Tim Kosse

Temporary access to the server would be very useful.

comment:2 Changed 12 years ago by r0br1b

The server can be found on 83.32.251.106 port 21.

comment:3 Changed 12 years ago by Tim Kosse

The connection gets closed by the server with a "Handshake failed" alert without further information.

Is there any message in the server logs? (You might have to turn on verbose logging on your server)

comment:4 Changed 12 years ago by r0br1b

The following trace entries might be of interest:

BPXF024I (FTPD) Sep 24 10:05:05 ftps 50397209 : FR0389 authClient: 970
secure_socket_open()
BPXF024I (FTPD) Sep 24 10:05:05 ftps 50397209 : FR0437 authClient: 971
cipherspecs = 352F03060A09010204
BPXF024I (FTPD) Sep 24 10:05:05 ftps 50397209 : FR0460 authClient: 972
secure_socket_init()
BPXF024I (FTPD) Sep 24 10:05:05 ftps 50397209 : FU0441 secureRead: 973
recv() for: 5
BPXF024I (FTPD) Sep 24 10:05:08 ftps 50397209 : FU0443 secureRead: 974
(cs) got: 5
BPXF024I (FTPD) Sep 24 10:05:08 ftps 50397209 : FU0441 secureRead: 975
recv() for: 61
BPXF024I (FTPD) Sep 24 10:05:08 ftps 50397209 : FU0443 secureRead: 976
(cs) got: 61
BPXF024I (FTPD) Sep 24 10:05:08 ftps 50397209 : FU0520 secureWrite: 977
send() for: 7
BPXF024I (FTPD) Sep 24 10:05:08 ftps 50397209 : FU0522 secureWrite: 978
(cs) sent: 7
BPXF024I (FTPD) Sep 24 10:05:09 ftps 50397209 : FR0476 authClient: 979
init failed with rc = 402 (No SSL cipher specifications)

The server is defined with the following ciphersuite definitions:

CIPHERSUITE SSL_AES_256_SHA
CIPHERSUITE SSL_AES_128_SHA
CIPHERSUITE SSL_RC4_MD5_EX
CIPHERSUITE SSL_RC2_MD5_EX
CIPHERSUITE SSL_3DES_SHA
CIPHERSUITE SSL_DES_SHA
CIPHERSUITE SSL_NULL_MD5
CIPHERSUITE SSL_NULL_SHA
CIPHERSUITE SSL_RC4_MD5

comment:5 Changed 12 years ago by Tim Kosse

Does the server even support SSLv3 or TLSv1 or does it just support the old SSLv2?

comment:6 Changed 12 years ago by r0br1b

Here is a link to IBM's documentation for the server in use:
http://preview.tinyurl.com/33jn89
The SSLV2 option is NOT in effect.

comment:7 Changed 12 years ago by Tim Kosse

Possible to enable implicit SSL/TLS? (Port 990 by default)

Without it is very difficult/impossible to use the diagnostics tools.

comment:8 Changed 12 years ago by r0br1b

Implicit TLS is supposed to be active by default but I can't get it to work.
I found the following in IBM's documentation:

Restrictions:

  • Only RSA key exchange is supported.
  • The following algorithms are subject to export regulations and might not be available to your system:

o Triple DES encryption, SHA authentication
o RC4 (128-bit) encryption, SHA authentication
o RC4 (128-bit) encryption, MD5 authentication
o AES (128-bit and 256-bit) encryption, SHA authentication

If this is the case, could that be the reason why Filezilla doesn't work?

comment:9 Changed 12 years ago by Tim Kosse

Maybe, I have no idea. Implicit SSL/TLS needs to be available, then I could create some meaningful dumps to analyze and potentially forward to the GnuTLS devs.

comment:10 Changed 12 years ago by sf-robot

This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).

Note: See TracTickets for help on using tickets.