Opened 9 years ago

Closed 6 years ago

Last modified 6 years ago

#7873 closed Bug report (outdated)

"GnuTLS error -12: A TLS fatal alert has been received." + "no shared cipher"

Reported by: kempi29 Owned by: rudiganteng
Priority: normal Component: FileZilla Client
Keywords: gnutls-12 Cc: simon@…, h17117, jounijarvis@…
Component version: Operating system type:
Operating system version: Windows, Linux

Description

GnuTLS error -12: A TLS fatal alert has been received.

in new version 3.5.3 win client, old version 3.5.2 works just fine.
Server UNIX.

Change History (38)

comment:1 by David Anderson, 9 years ago

Same problem here.

Have run FileZilla 3.5.3 on Windows 7 and on Linux under Wine. Trying to log in to a server via explicit TLS. Server is running CentOS 5 latest update of vsftpd (vsftpd-2.0.5-21.el5).

FileZilla 3.5.2 logs in successfully. 3.5.3 returns:

"Error: GnuTLS error -12: A TLS fatal alert has been received.
Error: Could not connect to server"

comment:2 by David Anderson, 9 years ago

Priority: normalhigh

comment:3 by David Anderson, 9 years ago

Summary: TLS problemTLS problem - cannot login via TLS in 3.5.3 (3.5.2 fine)

comment:4 by Simon, 9 years ago

Same here, some more information:

Status:	Resolving address of xxxxxx.de
Status:	Connecting to xx.xx.xx.xx:21...
Status:	Connection established, waiting for welcome message...
Trace:	CFtpControlSocket::OnReceive()
Response:	220 Welcome to xxxxxx.de FTP service.
Trace:	CFtpControlSocket::SendNextCommand()
Command:	AUTH TLS
Trace:	CFtpControlSocket::OnReceive()
Response:	234 Proceed with negotiation.
Status:	Initializing TLS...
Trace:	CTlsSocket::Handshake()
Trace:	CTlsSocket::ContinueHandshake()
Trace:	CTlsSocket::OnSend()
Trace:	CTlsSocket::OnRead()
Trace:	CTlsSocket::ContinueHandshake()
Trace:	CTlsSocket::OnRead()
Trace:	CTlsSocket::ContinueHandshake()
Trace:	CTlsSocket::Failure(-12, 10053)
Trace:	GnuTLS alert 40: Handshake failed
Error:	GnuTLS error -12: A TLS fatal alert has been received.
Trace:	CRealControlSocket::OnClose(10053)
Trace:	CControlSocket::DoClose(64)
Trace:	CFtpControlSocket::ResetOperation(66)
Trace:	CControlSocket::ResetOperation(66)
Error:	Could not connect to server
Trace:	CFileZillaEnginePrivate::ResetOperation(66)
Status:	Waiting to retry...
Trace:	CControlSocket::DoClose(64)
Trace:	CControlSocket::DoClose(64)
Error:	Connection attempt interrupted by user

comment:5 by Simon, 9 years ago

Cc: simon@… added

comment:6 by Lynch, 9 years ago

Operating system version: XP

Same problem on windows XP with Filezilla 3.5.3 Trying to login to VSFTPD 2.0.7 server on debian box with TLS explicit.

Here is the vsftpd server log:

Jan 10 12:08:24 xxxxxxx vsftpd: Tue Jan 10 12:08:24 2012 [pid 6862] CONNECT: Client "xxx.xxx.xxx.xxx"
Jan 10 12:08:24 xxxxxxx vsftpd: Tue Jan 10 12:08:24 2012 [pid 6862] FTP response: Client "xxx.xxx.xxx.xxx", "220 FTP:"
Jan 10 12:08:24 xxxxxxx vsftpd: Tue Jan 10 12:08:24 2012 [pid 6862] FTP command: Client "xxx.xxx.xxx.xxx", "AUTH TLS"
Jan 10 12:08:24 xxxxxxx vsftpd: Tue Jan 10 12:08:24 2012 [pid 6862] FTP response: Client "xxx.xxx.xxx.xxx", "234 Proceed with negotiation."
Jan 10 12:08:25 xxxxxxx vsftpd: Tue Jan 10 12:08:25 2012 [pid 6862] DEBUG: Client "xxx.xxx.xxx.xxx", "SSL_accept failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher"

FileZilla 3.5.0 logs in successfully

in reply to:  6 comment:7 by brandon barker, 9 years ago

Same issue here. Connected with FTP over TLS just fine in 3.5.2, and in 3.5.3 cannot connect. Verified by downgrading FileZilla back to 3.5.2, and the same saved connection was able to connect just fine.
Local Machine: Windows 7 SP1
Server: Unix AIX 6.1
Status: Connection established, initializing TLS...
Trace: CTlsSocket::Handshake()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::OnSend()
Trace: CTlsSocket::OnRead()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::OnRead()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::Failure(-12, 10053)
Trace: GnuTLS alert 40: Handshake failed
Error: GnuTLS error -12: A TLS fatal alert has been received.
Trace: CRealControlSocket::OnClose(10053)
Trace: CControlSocket::DoClose(64)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Error: Could not connect to server
Trace: CFileZillaEnginePrivate::ResetOperation(66)
Status: Waiting to retry...

comment:8 by jeremy dyson, 9 years ago

Same issue, windows 7 with filezilla 3.5.3 worked fine before update about 5 minutes ago.

comment:9 by h17117, 9 years ago

Cc: h17117 added
Operating system version: XPXP, 2008R2
19:37:09	Status:	Resolving address of www.regarddepend.com
19:37:09	Status:	Connecting to 69.64.34.192:21...
19:37:10	Status:	Connection established, waiting for welcome message...
19:37:10	Response:	220 (vsFTPd 2.0.5)
19:37:10	Command:	AUTH TLS
19:37:10	Response:	234 Proceed with negotiation.
19:37:10	Status:	Initializing TLS...
19:37:10	Error:	GnuTLS error -12: A TLS fatal alert has been received.
19:37:10	Error:	Could not connect to server
19:37:10	Status:	Waiting to retry...
19:37:15	Status:	Delaying connection for 1 second due to previously failed connection attempt...

Server - vsftp, on centOS5

comment:10 by Mircea Vutcovici, 9 years ago

The problem is an incompatibility in the cipher suite that FileZilla is supporting and the cipher suite configured by default on vsftpd.

In the wireshark capture you can see:

Response arg: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

The solution is to add to the /etc/vsftpd.conf :

ssl_ciphers=HIGH

The default is DES-CBC3-SHA which seems that is not supported anymore by FileZilla

comment:11 by Simon, 9 years ago

The workaround suggested by mircea.vutcovici works, but not all users have access to the ftp-servers configuration.

I suggest to add a more detailed error message in this case, the "GnuTLS error -12" is not really self-explanatory.

in reply to:  10 comment:12 by Mircea Vutcovici, 9 years ago

Replying to mircea.vutcovici:

The problem is an incompatibility in the cipher suite that FileZilla is supporting and the cipher suite configured by default on vsftpd.

In the wireshark capture you can see:

Response arg: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

The solution is to add to the /etc/vsftpd.conf :

ssl_ciphers=HIGH

The default is DES-CBC3-SHA which seems that is not supported anymore by FileZilla

OS: Ubuntu 8.04.4 LTS 32 bit
vsftpd: 2.0.6-1ubuntu1.2
libssl0.9.8: 0.9.8g-4ubuntu3.13

comment:13 by harry, 9 years ago

I have the same prob here. I have win7 on my machine connecting to ruTorrent... Error: GnuTLS error -12: A TLS fatal alert has been received. All was fine before the update

comment:14 by Michael Davis, 9 years ago

Operating system version: XP, 2008R2Win 7

I have the same problem. I only have a couple servers I use that require TLS (all with Core Commerce), but I can no longer access them.

Unfortunately their support is recommending changing FTP client's. I would prefer not to do that, but is there any plan to address this or do we just have to move on if server side fixes are not available to us?

comment:15 by muntain, 9 years ago

Same problem with vsftpd 2.0.6 on a red hat
Filezilla Client 3.5.3 can't login
3.5.2 it's ok

comment:16 by Simon, 9 years ago

Could be fixed with Revision 4390 (http://svn.filezilla-project.org/filezilla?revision=4390&view=revision), will try this revision today.

comment:17 by calimano, 9 years ago

@bratkartoffel, I don't see how that will resolve your issue seeing as vsftpd doesn't even support DH cipher suites.

Your issue and everyone elses is that your vsftpd configuration defaults to using 3DES as the cipher and filezilla client no longer supports it.

The only way to resolve this is by changing the cipher to something else.

comment:18 by blaubeerpfannkuchen, 9 years ago

Operating system version: Win 7Win 7, XP

same problem 3.5.3 (3.5.2 fine) by loggin in from Win7+XP onto a Seagate NAS 110 server. Problem with NAS server: it is preconfigured Unix with a web GUI. It is not intented to change settings there as root.

comment:19 by calimano, 9 years ago

@blaubeerpfannkuchen, It's possible to change the configuration file on the Seagate NAS 110 just google for instructions.

in reply to:  description comment:20 by Marketto, 9 years ago

Same problem here in new version 3.5.3 win client, old version 3.5.2 works just fine.

Replying to kempi29:

GnuTLS error -12: A TLS fatal alert has been received.

in new version 3.5.3 win client, old version 3.5.2 works just fine.
Server UNIX.

comment:21 by nyama, 9 years ago

I am afraid to say that many users go away from FileZilla due to this problem.

comment:22 by Jouni Järvinen, 9 years ago

Cc: jounijarvis@… added
Keywords: -12 gnutls added

Exactly same error here, same FZ, XP Pro SP3, Debian 6, ProFTPD 1.3.3a. I've not tried using FTPS with implicit SSL/TLS, just excplicit cuz it uses same port as FTP.

Debug trace:

16:47:50	Status:	Connecting to xxx.xxx.xxx.xxx:21...
16:47:50	Status:	Connection established, waiting for welcome message...
16:47:50	Trace:	CFtpControlSocket::OnReceive()
16:47:50	Response:	220 ProFTPD 1.3.3a Server (xxxxxxxxxx) [::XXXX:xxx.xxx.xxx.xxx]
16:47:50	Trace:	CFtpControlSocket::SendNextCommand()
16:47:50	Command:	AUTH TLS
16:47:50	Trace:	CFtpControlSocket::OnReceive()
16:47:50	Response:	234 AUTH TLS successful
16:47:50	Status:	Initializing TLS...
16:47:50	Trace:	CTlsSocket::Handshake()
16:47:50	Trace:	CTlsSocket::ContinueHandshake()
16:47:50	Trace:	CTlsSocket::OnSend()
16:47:50	Trace:	CTlsSocket::OnRead()
16:47:50	Trace:	CTlsSocket::ContinueHandshake()
16:47:50	Trace:	CTlsSocket::OnRead()
16:47:50	Trace:	CTlsSocket::ContinueHandshake()
16:47:50	Trace:	CTlsSocket::Failure(-12, 10053)
16:47:50	Trace:	GnuTLS alert 40: Handshake failed
16:47:50	Error:	GnuTLS error -12: A TLS fatal alert has been received.
16:47:50	Trace:	CRealControlSocket::OnClose(10053)
16:47:50	Trace:	CControlSocket::DoClose(64)
16:47:50	Trace:	CFtpControlSocket::ResetOperation(66)
16:47:50	Trace:	CControlSocket::ResetOperation(66)
16:47:50	Error:	Could not connect to server
16:47:50	Trace:	CFileZillaEnginePrivate::ResetOperation(66)

comment:23 by Augustus Carter, 9 years ago

We are encountering the same problem using FileZilla 3.5.3 on Windows XP and Windows 7.

Status: Connecting to ...
Status: Connection established, waiting for welcome mesasge...
Response: ...
Command: AUTH TLS
Response: 234 Proceed with negotiation.
Status: Initializing TLS...
Error: GnuTLS error -12: A TLS fatal alert has been received.
Error: Could not connect to server
Status: Waiting to retry...

We had to go back to FileZilla 3.5.2 as a work-around.

comment:24 by Simon, 9 years ago

The solution is to add to the /etc/vsftpd.conf :

ssl_ciphers=HIGH

This is a workaround on server-side, it's working for me like a charm. But still not happy with it, but it seems this "bug" will remain in filezilla as vsftpd is a little out-dated regarding ssl-ciphers and -strength.

Regards,
Simon

in reply to:  24 ; comment:25 by Jouni Järvinen, 9 years ago

Operating system type: Windows
Operating system version: Win 7, XPWin 7, XP, Linux

Replying to bratkartoffel:

The solution is to add to the /etc/vsftpd.conf :

ssl_ciphers=HIGH

What about ProFTPD ?

Same issue, tested on

  • Linux Mint 10 which bases on Ubuntu 10.10
  • Ubuntu 11.10

Not sure about what to put as 'Operating system type'.

in reply to:  25 comment:26 by Kbh, 9 years ago

Simon this does not work for me on windows 7. Still getting errors. Are you modifying anything else ?

/Kbh

The solution is to add to the /etc/vsftpd.conf :

ssl_ciphers=HIGH

This is a workaround on server-side, it's working for me like a charm. But still not happy with it, but it seems this "bug" will remain in filezilla as vsftpd is a little out-dated regarding ssl-ciphers and -strength.
Regards,
Simon


Replying to rautamiekka:

Replying to bratkartoffel:

The solution is to add to the /etc/vsftpd.conf :

ssl_ciphers=HIGH

Eventbureau København What about ProFTPD ?

Same issue, tested on

  • Linux Mint 10 which bases on Ubuntu 10.10
  • Ubuntu 11.10

Not sure about what to put as 'Operating system type'.

comment:27 by Simon, 9 years ago

Hi Kbh,

as i said this is a workaround you can set on your server. This implies that you use vsftpd as ftp-software there. Have you restarted vsftdp after changing the setting?
e.g. on ubuntu / debian execute:

/etc/init.d/vsftpd restart

Regards,
Simon

in reply to:  27 comment:28 by Kbh, 9 years ago

Nope, and doing that worked :)

Thanks !
/Kbh

Replying to bratkartoffel:

Hi Kbh,

as i said this is a workaround you can set on your server. This implies that you use vsftpd as ftp-software there. Have you restarted vsftdp after changing the setting?
e.g. on ubuntu / debian execute:

/etc/init.d/vsftpd restart

Regards,
Simon

comment:29 by gar, 8 years ago

This is a strange idea of reasonable behavior for a production FTP client: breaking compatibility with huge swaths of FTP servers, and then ignoring the problem for half a year. Off to WinSCP...

comment:30 by Alexander Schuch, 8 years ago

Keywords: 3.5.3 added

comment:31 by Søren Juul, 8 years ago

The

set_cipers=HIGH

trick for vsftpd seems to only be working when

chroot_local_user=YES

is not set (or set to NO)

comment:32 by Alexander Schuch, 8 years ago

Keywords: 3.5.3 removed
Operating system version: Win 7, XP, LinuxWindows, Linux
Priority: highnormal
Summary: TLS problem - cannot login via TLS in 3.5.3 (3.5.2 fine)"GnuTLS error -12: A TLS fatal alert has been received." + "no shared cipher"

Here another summary from #8322:

"HISTORY:
3.6.0.1 - does not connect
3.6.0 - worked fine!
3.5.3 - does not connect
3.5.2 (and older) - worked fine!"

The proposed "fix" is to use strong ciphers (as mentioned in previous posts) or not use encryption at all.

in reply to:  31 comment:33 by Vlado, 8 years ago

Replying to zpon:

trick for vsftpd seems to only be working when

chroot_local_user=YES

is not set (or set to NO)

ssl_ciphers=HIGH works for me despite the fact that I have chroot_local_user=YES!
vsftpd-2.2.2-11.el6.i686
FileZilla_3.6.0.2_win32-setup.exe
CentOS release 6.3

comment:34 by Alexander Schuch, 8 years ago

Keywords: gnutls-12 added; TLS -12 gnutls removed

comment:35 by rudiganteng, 6 years ago

Owner: set to rudiganteng
Status: newaccepted

comment:36 by Tim Kosse, 6 years ago

Resolution: outdated
Status: acceptedclosed

comment:38 by David Anderson, 6 years ago

Cc: filezilla-project@… added

comment:39 by David Anderson, 6 years ago

Cc: filezilla-project@… removed
Note: See TracTickets for help on using tickets.