Opened 8 years ago

Closed 8 years ago

Last modified 6 years ago

#7742 closed Patch (fixed)

FTPES handshake fails with GnuTLS 3

Reported by: Sid Owned by:
Priority: normal Component: FileZilla Client
Keywords: Cc:
Component version: Operating system type: Linux
Operating system version: Archlinux

Description

When using GnuTLS 2.12.7 FileZilla could successfully connect using FTPES, however after upgrading to GnuTLS 3 (and compiling FileZilla against it) when trying to connect I get the following error:

Status:	Resolving address of <redacted>
Status:	Connecting to <redacted>:21...
Status:	Connection established, waiting for welcome message...
Trace:	CFtpControlSocket::OnReceive()
Response:	220 (vsFTPd 2.3.4)
Trace:	CFtpControlSocket::SendNextCommand()
Command:	AUTH TLS
Trace:	CFtpControlSocket::OnReceive()
Response:	234 Proceed with negotiation.
Status:	Initializing TLS...
Trace:	CTlsSocket::Handshake()
Trace:	CTlsSocket::ContinueHandshake()
Trace:	CTlsSocket::ContinueHandshake()
Trace:	GnuTLS alert 40: Handshake failed
Error:	GnuTLS error -12: A TLS fatal alert has been received.
Trace:	CRealControlSocket::OnClose(103)
Trace:	CFtpControlSocket::ResetOperation(66)
Trace:	CControlSocket::ResetOperation(66)
Error:	Could not connect to server
Status:	Waiting to retry...
Status:	Resolving address of apiratelifeforme.com
Status:	Connecting to <redacted>:21...
Status:	Connection established, waiting for welcome message...
Trace:	CFtpControlSocket::OnReceive()
Response:	220 (vsFTPd 2.3.4)
Trace:	CFtpControlSocket::SendNextCommand()
Command:	AUTH TLS
Trace:	CFtpControlSocket::OnReceive()
Response:	234 Proceed with negotiation.
Status:	Initializing TLS...
Trace:	CTlsSocket::Handshake()
Trace:	CTlsSocket::ContinueHandshake()
Trace:	CTlsSocket::ContinueHandshake()
Trace:	GnuTLS alert 40: Handshake failed
Error:	GnuTLS error -12: A TLS fatal alert has been received.
Trace:	CRealControlSocket::OnClose(103)
Trace:	CFtpControlSocket::ResetOperation(66)
Trace:	CControlSocket::ResetOperation(66)
Error:	Could not connect to server

I can successfully connect with FileZilla from Windows and from Linux if I downgrade GnuTLS, so the server works just fine.

Attachments (1)

patch.txt (789 bytes) - added by janus 8 years ago.
Patch to fix the issue. The SECURE256 ciphersuites requested by filezilla do not have common ciphersuites with the common servers (SECURE256 got more strict in gnutls3).

Download all attachments as: .zip

Change History (6)

comment:1 Changed 8 years ago by pavel

Confirm tha same error for me under Arch Linux

01:03:55	Trace:	CFtpControlSocket::SendNextCommand()
01:03:55	Command:	AUTH TLS
01:03:55	Trace:	CFtpControlSocket::OnReceive()
01:03:55	Response:	234 AUTH TLS OK.
01:03:55	Status:	Initializing TLS...
01:03:55	Trace:	CTlsSocket::Handshake()
01:03:55	Trace:	CTlsSocket::ContinueHandshake()
01:03:55	Trace:	CTlsSocket::OnSend()
01:03:56	Trace:	CTlsSocket::OnRead()
01:03:56	Trace:	CTlsSocket::ContinueHandshake()
01:03:56	Trace:	CTlsSocket::Failure(-12, 103)
01:03:56	Trace:	GnuTLS alert 40: Handshake failed
01:03:56	Error:	GnuTLS error -12: A TLS fatal alert has been received.
01:03:56	Trace:	CRealControlSocket::OnClose(103)
01:03:56	Trace:	CControlSocket::DoClose(64)
01:03:56	Trace:	CFtpControlSocket::ResetOperation(66)
01:03:56	Trace:	CControlSocket::ResetOperation(66)
01:03:56	Error:	Could not connect to server
01:03:56	Trace:	CFileZillaEnginePrivate::ResetOperation(66)

It works when downgraded and tested for arch linux x86_64 and i686, the same error
filezilla (3.5.1-1 => 3.5.0-1)
gnutls (3.0.2-1 => 2.12.6.1-1)

comment:2 Changed 8 years ago by Sid

I feel dernik's comment, while useful, is slightly misleading. This is not a regression that is fixed by reverting to FileZilla 3.5.0. Rather in archlinux the migration to gnutls 3 coincided with FileZilla 3.5.1 being released, as such 3.5.1 was compiled against gnutls 3 while 3.5.0 was compiled against gnutls 2.12.6. That explains why he's downgrading both of them to get it working again.

I've seen other tickets where a developer asked for server access to fix issues. I can set up a test server mirroring my set-up if needed.

Changed 8 years ago by janus

Attachment: patch.txt added

Patch to fix the issue. The SECURE256 ciphersuites requested by filezilla do not have common ciphersuites with the common servers (SECURE256 got more strict in gnutls3).

comment:3 Changed 8 years ago by Sid

I can confirm this patch fixes the problem. Should I change the status of this ticket or is that for the devs to do?
Thanks

comment:4 Changed 8 years ago by janus

Type: Bug reportPatch

comment:5 Changed 8 years ago by Tim Kosse

Resolution: fixed
Status: newclosed

Thanks, a slightly different change has been applied to the repository.

Note: See TracTickets for help on using tickets.