Opened 9 years ago

Closed 6 years ago

Last modified 6 years ago

#7910 closed Bug report (rejected)

Unable to upload 550 The supplied message is incomplete. The signature was not verified.

Reported by: y2k3005 Owned by:
Priority: high Component: FileZilla Client
Keywords: tls 550 Cc: rsmile01
Component version: Operating system type: Windows
Operating system version: Windows 7 64-bit, Mac OS X Lion 10.7.2

Description

Unable to upload files after web host enabled TLS 1.1/1.2, I can connect to the server and browse and download files, but uploading files fails:

FTP Server Microsoft FTP 7.5

Tried downgrading to 3.5.2, with the previous version of FileZilla it will not even connect. While I would normally in this case just turn off TLS 1.1/1.2 support on the server, but since I don't have such access I have worked around the problem by turning off TLS 1.1/1.2 on the client side. I also tried 3.5.3 from a Mac running OS X Lion, same result.

Here is the message log with debugging set to level 4:

20:13:07 Status: Connecting to XXX.XXX.XXX.XXX:21...
20:13:07 Status: Connection established, waiting for welcome message...
20:13:07 Trace: CFtpControlSocket::OnReceive()
20:13:07 Response: 220 Microsoft FTP Service
20:13:07 Trace: CFtpControlSocket::SendNextCommand()
20:13:07 Command: AUTH TLS
20:13:08 Trace: CFtpControlSocket::OnReceive()
20:13:08 Response: 234 AUTH command ok. Expecting TLS Negotiation.
20:13:08 Status: Initializing TLS...
20:13:08 Trace: CTlsSocket::Handshake()
20:13:08 Trace: CTlsSocket::ContinueHandshake()
20:13:08 Trace: CTlsSocket::OnSend()
20:13:08 Trace: CTlsSocket::OnRead()
20:13:08 Trace: CTlsSocket::ContinueHandshake()
20:13:08 Trace: CTlsSocket::OnRead()
20:13:08 Trace: CTlsSocket::ContinueHandshake()
20:13:08 Trace: CTlsSocket::OnRead()
20:13:08 Trace: CTlsSocket::ContinueHandshake()
20:13:08 Trace: TLS Handshake successful
20:13:08 Trace: Cipher: AES-256-CBC, MAC: SHA256
20:13:08 Status: Verifying certificate...
20:13:08 Trace: CFtpControlSocket::SendNextCommand()
20:13:08 Command: USER XXXXXX
20:13:08 Status: TLS/SSL connection established.
20:13:08 Trace: CTlsSocket::OnRead()
20:13:08 Trace: CFtpControlSocket::OnReceive()
20:13:08 Response: 331 Password required for XXXXXX.
20:13:08 Trace: CFtpControlSocket::SendNextCommand()
20:13:08 Command: PASS XXXXXX
20:13:08 Trace: CTlsSocket::OnRead()
20:13:08 Trace: CFtpControlSocket::OnReceive()
20:13:08 Response: 230 User logged in.
20:13:08 Trace: CFtpControlSocket::SendNextCommand()
20:13:08 Command: OPTS UTF8 ON
20:13:08 Trace: CTlsSocket::OnRead()
20:13:08 Trace: CFtpControlSocket::OnReceive()
20:13:08 Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
20:13:08 Trace: CFtpControlSocket::SendNextCommand()
20:13:08 Command: PBSZ 0
20:13:08 Trace: CTlsSocket::OnRead()
20:13:08 Trace: CFtpControlSocket::OnReceive()
20:13:08 Response: 200 PBSZ command successful.
20:13:08 Trace: CFtpControlSocket::SendNextCommand()
20:13:08 Command: PROT P
20:13:08 Trace: CTlsSocket::OnRead()
20:13:08 Trace: CFtpControlSocket::OnReceive()
20:13:08 Response: 200 PROT command successful.
20:13:08 Status: Connected
20:13:08 Trace: CFtpControlSocket::ResetOperation(0)
20:13:08 Trace: CControlSocket::ResetOperation(0)
20:13:08 Trace: CFileZillaEnginePrivate::ResetOperation(0)
20:13:08 Status: Retrieving directory listing...
20:13:08 Trace: CFtpControlSocket::SendNextCommand()
20:13:08 Trace: CFtpControlSocket::ChangeDirSend()
20:13:08 Command: PWD
20:13:08 Trace: CTlsSocket::OnRead()
20:13:08 Trace: CFtpControlSocket::OnReceive()
20:13:08 Response: 257 "/" is current directory.
20:13:08 Trace: CFtpControlSocket::ResetOperation(0)
20:13:08 Trace: CControlSocket::ResetOperation(0)
20:13:08 Trace: CFtpControlSocket::ParseSubcommandResult(0)
20:13:08 Trace: CFtpControlSocket::ListSubcommandResult()
20:13:08 Trace: state = 1
20:13:08 Trace: CFtpControlSocket::ResetOperation(0)
20:13:08 Trace: CControlSocket::ResetOperation(0)
20:13:08 Status: Directory listing successful
20:13:08 Trace: CFileZillaEnginePrivate::ResetOperation(0)
20:13:11 Trace: CFtpControlSocket::FileTransfer()
20:13:11 Status: Starting upload of /FTPWorking/49.png
20:13:11 Trace: CFtpControlSocket::ParseSubcommandResult(0)
20:13:11 Trace: FileTransferSubcommandResult()
20:13:11 Trace: CFtpControlSocket::SendNextCommand()
20:13:11 Trace: FileTransferSend()
20:13:11 Trace: CFtpControlSocket::SendNextCommand()
20:13:11 Trace: CFtpControlSocket::TransferSend()
20:13:11 Trace: state = 2
20:13:11 Command: PASV
20:13:11 Trace: CTlsSocket::OnRead()
20:13:11 Trace: CFtpControlSocket::OnReceive()
20:13:11 Response: 227 Entering Passive Mode (XXX,XXX,XXX,XXX,201,87).
20:13:11 Trace: CFtpControlSocket::TransferParseResponse()
20:13:11 Trace: code = 2
20:13:11 Trace: state = 2
20:13:11 Trace: CFtpControlSocket::SendNextCommand()
20:13:11 Trace: CFtpControlSocket::TransferSend()
20:13:11 Trace: state = 4
20:13:11 Command: STOR 49.png
20:13:11 Trace: CTransferSocket::OnConnect
20:13:11 Trace: CTlsSocket::Handshake()
20:13:11 Trace: Trying to resume existing TLS session.
20:13:11 Trace: CTlsSocket::ContinueHandshake()
20:13:11 Trace: CTlsSocket::OnSend()
20:13:11 Trace: CTlsSocket::OnSend()
20:13:11 Trace: CTlsSocket::OnRead()
20:13:11 Trace: CTlsSocket::ContinueHandshake()
20:13:11 Trace: CTlsSocket::OnRead()
20:13:11 Trace: CFtpControlSocket::OnReceive()
20:13:11 Response: 150 Opening BINARY mode data connection.
20:13:11 Trace: CFtpControlSocket::TransferParseResponse()
20:13:11 Trace: code = 1
20:13:11 Trace: state = 4
20:13:11 Trace: CFtpControlSocket::SendNextCommand()
20:13:11 Trace: CFtpControlSocket::TransferSend()
20:13:11 Trace: state = 5
20:13:11 Trace: CTlsSocket::OnRead()
20:13:11 Trace: CTlsSocket::ContinueHandshake()
20:13:11 Trace: TLS Handshake successful
20:13:11 Trace: TLS Session resumed
20:13:11 Trace: Cipher: AES-256-CBC, MAC: SHA256
20:13:11 Trace: CTransferSocket::OnConnect
20:13:11 Trace: CTlsSocket::Shutdown()
20:13:11 Trace: CTransferSocket::TransferEnd(1)
20:13:11 Trace: CFtpControlSocket::TransferEnd()
20:13:11 Trace: CTlsSocket::OnRead()
20:13:11 Trace: CFtpControlSocket::OnReceive()
20:13:11 Response: 550 The supplied message is incomplete. The signature was not verified.
20:13:11 Trace: CFtpControlSocket::TransferParseResponse()
20:13:11 Trace: code = 5
20:13:11 Trace: state = 7
20:13:11 Trace: CFtpControlSocket::ResetOperation(2)
20:13:11 Trace: CControlSocket::ResetOperation(2)
20:13:11 Trace: CFtpControlSocket::ParseSubcommandResult(2)
20:13:11 Trace: FileTransferSubcommandResult()
20:13:11 Trace: CFtpControlSocket::ResetOperation(2)
20:13:11 Trace: CControlSocket::ResetOperation(2)
20:13:11 Error: File transfer failed
20:13:11 Trace: CFileZillaEnginePrivate::ResetOperation(2)

Change History (5)

comment:1 by jlyons210, 8 years ago

I began experiencing this error when uploading files on IIS 8/Server 2012, and worked around it successfully by moving TLS_RSA_WITH_RC4_128_SHA to the top of the priority list on my FTP server as described in the link below.

http://blogs.msdn.com/b/kaushal/archive/2011/10/03/taming-the-beast-browser-exploit-against-ssl-tls.aspx

It seems like the ideal solution would be a fix to the FileZilla client, so hopefully this steers the devs in the right direction.

comment:2 by rsmile01, 6 years ago

Cc: rsmile01 added
Priority: normalhigh

While jlyons210 fix works, it is not a secure solution server-side. RC4 is or will be more of a vulnerability as time passes: https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat The FileZilla client should be fixed to allow other cipher suites for TLS like TLS_RSA_WITH_AES_128_CBC_SHA which is Windows default. While this suite is vulnerable to the BEAST attack, according to the security labs post, this vulnerability is less and less a problem compared to the "weak" RC4.

comment:3 by rsmile01, 6 years ago

To elaborate, to have a secure SSL/FTP configuration on my IIS 7.5 web server, I had to disable SSL 2.0 and enable TLS 1.1 and 1.2 per security standards. Basically, this broke FileZilla FTPS with the error above. CuteFTP continues to function without issue.

comment:4 by Tim Kosse, 6 years ago

Resolution: rejected
Status: newclosed

It's a fault in your server.

Have a look at this topic for a lengthy discussion: viewtopic.php?f=2&t=27898. Microsoft has issued a hotfix to address this problem: http://support.microsoft.com/kb/2888853

Note: See TracTickets for help on using tickets.