FTPS does not work

[Dmitry Dzevel]

Configured Filezilla server v. 0.9.36 for FTPES and FTPS.

FTPES works OK: at first login server send client certificate, after accepting, it connects to the site.
FTPS does not work: same client, same server. Server does not sends certificate to client. Up on connection, I receive error: "500 Syntax error, command unrecognized".

I thought it was due to firewall so installed server and client on the same machine to remove and dependencies on firewall or routers: same result. I tested this with server version 0.9.34, 0.9.35.

CLient is Filezilla 3.3.4.1 but i had same results with SmartFTP client.
FTPES log:
Status: Resolving address of nycw9854
Status: Connecting to 10.3.7.240:21...
Status: Connection established, waiting for welcome message...
Response: 220-FileZilla Server version 0.9.36 beta
Response: 220 DD Test
Command: AUTH TLS
Response: 234 Using authentication type TLS
Status: Initializing TLS...
Status: Verifying certificate...
Command: USER ddtest
Status: TLS/SSL connection established.
Response: 331 Password required for ddtest
Command: PASS
Response: 230 Logged on
Command: SYST
Response: 215 UNIX emulated by FileZilla
Command: FEAT
Response: 211-Features:
Response: MDTM
Response: REST STREAM
Response: SIZE
Response: MLST type*;size*;modify*;
Response: MLSD
Response: AUTH SSL
Response: AUTH TLS
Response: UTF8
Response: CLNT
Response: MFMT
Response: 211 End
Command: PBSZ 0
Response: 200 PBSZ=0
Command: PROT P
Response: 200 Protection level set to P
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (10,3,7,240,19,138)
Command: MLSD
Response: 150 Connection accepted
Response: 226 Transfer OK
Status: Directory listing successful
Status: Disconnected from server

FTPS log:
Status: Resolving address of nycw9854
Status: Connecting to 10.3.7.240:990...
Status: Connection established, initializing TLS...
Error: Connection timed out
Error: Could not connect to server
Status: Waiting to retry...
Status: Resolving address of nycw9854
Status: Connecting to 10.3.7.240:990...
Status: Connection established, initializing TLS...
Error: Connection timed out
Error: Could not connect to server

Server log:

(000011)9/10/2010 16:46:12 PM - (not logged in) (10.3.7.240)> Connected, sending welcome message...
(000011)9/10/2010 16:46:12 PM - (not logged in) (10.3.7.240)> AUTH TLS
(000011)9/10/2010 16:46:12 PM - (not logged in) (10.3.7.240)> 234 Using authentication type TLS
(000011)9/10/2010 16:46:13 PM - (not logged in) (10.3.7.240)> SSL connection established
(000011)9/10/2010 16:46:23 PM - (not logged in) (10.3.7.240)> USER ddtest
(000011)9/10/2010 16:46:23 PM - (not logged in) (10.3.7.240)> 331 Password required for ddtest
(000011)9/10/2010 16:46:23 PM - (not logged in) (10.3.7.240)> PASS
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> 230 Logged on
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> SYST
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> 215 UNIX emulated by FileZilla
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> FEAT
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> 211-Features:
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> MDTM
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> REST STREAM
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> SIZE
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> MLST type*;size*;modify*;
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> MLSD
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> AUTH SSL
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> AUTH TLS
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> UTF8
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> CLNT
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> MFMT
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> 211 End
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> PBSZ 0
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> 200 PBSZ=0
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> PROT P
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> 200 Protection level set to P
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> PWD
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> 257 "/" is current directory.
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> TYPE I
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> 200 Type set to I
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> PASV
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> 227 Entering Passive Mode (10,3,7,240,19,138)
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> MLSD
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> 150 Connection accepted
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> SSL connection for data connection established
(000011)9/10/2010 16:46:23 PM - ddtest (10.3.7.240)> 226 Transfer OK
(000011)9/10/2010 16:46:31 PM - ddtest (10.3.7.240)> disconnected.
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> Connected, sending welcome message...
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)>
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> C
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> ?LŠ™·ù$´26*ŽÃ‚ AŽ¯²N®ç‰ \›&‡(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)>
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 3
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 9
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)>
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 2
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 8
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)>
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> f
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> /
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 5
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)>
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)>
(000012)9/10/2010 16:46:31 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000012)9/10/2010 16:46:52 PM - (not logged in) (10.3.7.240)> disconnected.
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> Connected, sending welcome message...
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)>
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> C
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> ?LŠ™ä×mCßõ¿Wü
è$¥8áâÚVèjÈ!Ú
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)>
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 3
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 9
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)>
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 2
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 8
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)>
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> f
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> /
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 5
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)>
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)>
(000013)9/10/2010 16:46:57 PM - (not logged in) (10.3.7.240)> 500 Syntax error, command unrecognized.
(000013)9/10/2010 16:47:18 PM - (not logged in) (10.3.7.240)> disconnected.

Filezilla Server and Filezilla client installed on the same machine - for test.

[Dmitry Dzevel]

Server config.

[Tim Kosse]

Incorrect configuration. You need to use the SSL port for implicit FTP over TLS, only explicit FTP over TLS can share the same port as regular FTP.

[Dmitry Dzevel]

Replying to codesquid:

Incorrect configuration. You need to use the SSL port for implicit FTP over TLS, only explicit FTP over TLS can share the same port as regular FTP.

??!!

I'm using port 990 for implicit FTPS. Logs I've attached to the ticket shown that
FTPES (SSL over port 21) is working OK, but FTPS - SSL over port 990 -
does not. I had sent output from from both: FTPES and FTPS - please doublecheck. Why else i mentioned FTPES: it uses same certificate so no issue with it.

I've attached server config. Can you please check what if anything in the configuration i should changed to fix FTPS issue.

FTPS does not work when i use Filezilla FTP server. For test I had
installed Cerberus FTP server on the same machine, configured same
way: ports 21 and 990, FTPS and FTPES only, allow connection only via SSL, etc. Cerberus FTP works with no problem.

You should not close this ticket. I need to fix this problem ASAP.

Dmitry

[Dmitry Dzevel]

Any updates on this?

[putte]

Your configuration file contains these lines:

<Item name="Serverports" type="string">21 22 990</Item>
...
<Item name="Implicit SSL ports" type="string">991</Item>

So have you tried connecting to port 991? If it works, try setting "Serverports" to 21 and "Implicit SSL ports" to 990.

From the log it looks like you have configured FileZilla to expect an unencrypted control connection on port 990, which obviously doesn't work.

[sumsome]

I guess, Probably this error happens because you have checked "Allow implicit SSL/TLS" (or "Disallow plain unencrypted FTP") box.
Thus, during first server/client connection the server should send through unencrypted stream the digital certificate and client should accept the one. Disallowing plain unencrypted FTP (or allowing impicit SSL/TLS) you forbid during the first send the digital certificate and therefore you got syntax error because server expects totally encrypted commands and when server gets unencrypted command, the server sees it as encrypted.
It's just my opinion. Try to remove implicit connection during first run and let accept server's certificate by FTP client and then enable again and PROFIT.

[Alexander Schuch]

Guess the original poster does not have the problem anymore, as there is no reply.