#7910 closed Bug report (rejected)
Unable to upload 550 The supplied message is incomplete. The signature was not verified.
Reported by: | y2k3005 | Owned by: | |
---|---|---|---|
Priority: | high | Component: | FileZilla Client |
Keywords: | tls 550 | Cc: | rsmile01 |
Component version: | Operating system type: | Windows | |
Operating system version: | Windows 7 64-bit, Mac OS X Lion 10.7.2 |
Description
Unable to upload files after web host enabled TLS 1.1/1.2, I can connect to the server and browse and download files, but uploading files fails:
FTP Server Microsoft FTP 7.5
Tried downgrading to 3.5.2, with the previous version of FileZilla it will not even connect. While I would normally in this case just turn off TLS 1.1/1.2 support on the server, but since I don't have such access I have worked around the problem by turning off TLS 1.1/1.2 on the client side. I also tried 3.5.3 from a Mac running OS X Lion, same result.
Here is the message log with debugging set to level 4:
20:13:07 Status: Connecting to XXX.XXX.XXX.XXX:21...
20:13:07 Status: Connection established, waiting for welcome message...
20:13:07 Trace: CFtpControlSocket::OnReceive()
20:13:07 Response: 220 Microsoft FTP Service
20:13:07 Trace: CFtpControlSocket::SendNextCommand()
20:13:07 Command: AUTH TLS
20:13:08 Trace: CFtpControlSocket::OnReceive()
20:13:08 Response: 234 AUTH command ok. Expecting TLS Negotiation.
20:13:08 Status: Initializing TLS...
20:13:08 Trace: CTlsSocket::Handshake()
20:13:08 Trace: CTlsSocket::ContinueHandshake()
20:13:08 Trace: CTlsSocket::OnSend()
20:13:08 Trace: CTlsSocket::OnRead()
20:13:08 Trace: CTlsSocket::ContinueHandshake()
20:13:08 Trace: CTlsSocket::OnRead()
20:13:08 Trace: CTlsSocket::ContinueHandshake()
20:13:08 Trace: CTlsSocket::OnRead()
20:13:08 Trace: CTlsSocket::ContinueHandshake()
20:13:08 Trace: TLS Handshake successful
20:13:08 Trace: Cipher: AES-256-CBC, MAC: SHA256
20:13:08 Status: Verifying certificate...
20:13:08 Trace: CFtpControlSocket::SendNextCommand()
20:13:08 Command: USER XXXXXX
20:13:08 Status: TLS/SSL connection established.
20:13:08 Trace: CTlsSocket::OnRead()
20:13:08 Trace: CFtpControlSocket::OnReceive()
20:13:08 Response: 331 Password required for XXXXXX.
20:13:08 Trace: CFtpControlSocket::SendNextCommand()
20:13:08 Command: PASS XXXXXX
20:13:08 Trace: CTlsSocket::OnRead()
20:13:08 Trace: CFtpControlSocket::OnReceive()
20:13:08 Response: 230 User logged in.
20:13:08 Trace: CFtpControlSocket::SendNextCommand()
20:13:08 Command: OPTS UTF8 ON
20:13:08 Trace: CTlsSocket::OnRead()
20:13:08 Trace: CFtpControlSocket::OnReceive()
20:13:08 Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
20:13:08 Trace: CFtpControlSocket::SendNextCommand()
20:13:08 Command: PBSZ 0
20:13:08 Trace: CTlsSocket::OnRead()
20:13:08 Trace: CFtpControlSocket::OnReceive()
20:13:08 Response: 200 PBSZ command successful.
20:13:08 Trace: CFtpControlSocket::SendNextCommand()
20:13:08 Command: PROT P
20:13:08 Trace: CTlsSocket::OnRead()
20:13:08 Trace: CFtpControlSocket::OnReceive()
20:13:08 Response: 200 PROT command successful.
20:13:08 Status: Connected
20:13:08 Trace: CFtpControlSocket::ResetOperation(0)
20:13:08 Trace: CControlSocket::ResetOperation(0)
20:13:08 Trace: CFileZillaEnginePrivate::ResetOperation(0)
20:13:08 Status: Retrieving directory listing...
20:13:08 Trace: CFtpControlSocket::SendNextCommand()
20:13:08 Trace: CFtpControlSocket::ChangeDirSend()
20:13:08 Command: PWD
20:13:08 Trace: CTlsSocket::OnRead()
20:13:08 Trace: CFtpControlSocket::OnReceive()
20:13:08 Response: 257 "/" is current directory.
20:13:08 Trace: CFtpControlSocket::ResetOperation(0)
20:13:08 Trace: CControlSocket::ResetOperation(0)
20:13:08 Trace: CFtpControlSocket::ParseSubcommandResult(0)
20:13:08 Trace: CFtpControlSocket::ListSubcommandResult()
20:13:08 Trace: state = 1
20:13:08 Trace: CFtpControlSocket::ResetOperation(0)
20:13:08 Trace: CControlSocket::ResetOperation(0)
20:13:08 Status: Directory listing successful
20:13:08 Trace: CFileZillaEnginePrivate::ResetOperation(0)
20:13:11 Trace: CFtpControlSocket::FileTransfer()
20:13:11 Status: Starting upload of /FTPWorking/49.png
20:13:11 Trace: CFtpControlSocket::ParseSubcommandResult(0)
20:13:11 Trace: FileTransferSubcommandResult()
20:13:11 Trace: CFtpControlSocket::SendNextCommand()
20:13:11 Trace: FileTransferSend()
20:13:11 Trace: CFtpControlSocket::SendNextCommand()
20:13:11 Trace: CFtpControlSocket::TransferSend()
20:13:11 Trace: state = 2
20:13:11 Command: PASV
20:13:11 Trace: CTlsSocket::OnRead()
20:13:11 Trace: CFtpControlSocket::OnReceive()
20:13:11 Response: 227 Entering Passive Mode (XXX,XXX,XXX,XXX,201,87).
20:13:11 Trace: CFtpControlSocket::TransferParseResponse()
20:13:11 Trace: code = 2
20:13:11 Trace: state = 2
20:13:11 Trace: CFtpControlSocket::SendNextCommand()
20:13:11 Trace: CFtpControlSocket::TransferSend()
20:13:11 Trace: state = 4
20:13:11 Command: STOR 49.png
20:13:11 Trace: CTransferSocket::OnConnect
20:13:11 Trace: CTlsSocket::Handshake()
20:13:11 Trace: Trying to resume existing TLS session.
20:13:11 Trace: CTlsSocket::ContinueHandshake()
20:13:11 Trace: CTlsSocket::OnSend()
20:13:11 Trace: CTlsSocket::OnSend()
20:13:11 Trace: CTlsSocket::OnRead()
20:13:11 Trace: CTlsSocket::ContinueHandshake()
20:13:11 Trace: CTlsSocket::OnRead()
20:13:11 Trace: CFtpControlSocket::OnReceive()
20:13:11 Response: 150 Opening BINARY mode data connection.
20:13:11 Trace: CFtpControlSocket::TransferParseResponse()
20:13:11 Trace: code = 1
20:13:11 Trace: state = 4
20:13:11 Trace: CFtpControlSocket::SendNextCommand()
20:13:11 Trace: CFtpControlSocket::TransferSend()
20:13:11 Trace: state = 5
20:13:11 Trace: CTlsSocket::OnRead()
20:13:11 Trace: CTlsSocket::ContinueHandshake()
20:13:11 Trace: TLS Handshake successful
20:13:11 Trace: TLS Session resumed
20:13:11 Trace: Cipher: AES-256-CBC, MAC: SHA256
20:13:11 Trace: CTransferSocket::OnConnect
20:13:11 Trace: CTlsSocket::Shutdown()
20:13:11 Trace: CTransferSocket::TransferEnd(1)
20:13:11 Trace: CFtpControlSocket::TransferEnd()
20:13:11 Trace: CTlsSocket::OnRead()
20:13:11 Trace: CFtpControlSocket::OnReceive()
20:13:11 Response: 550 The supplied message is incomplete. The signature was not verified.
20:13:11 Trace: CFtpControlSocket::TransferParseResponse()
20:13:11 Trace: code = 5
20:13:11 Trace: state = 7
20:13:11 Trace: CFtpControlSocket::ResetOperation(2)
20:13:11 Trace: CControlSocket::ResetOperation(2)
20:13:11 Trace: CFtpControlSocket::ParseSubcommandResult(2)
20:13:11 Trace: FileTransferSubcommandResult()
20:13:11 Trace: CFtpControlSocket::ResetOperation(2)
20:13:11 Trace: CControlSocket::ResetOperation(2)
20:13:11 Error: File transfer failed
20:13:11 Trace: CFileZillaEnginePrivate::ResetOperation(2)
Change History (5)
comment:1 by , 12 years ago
comment:2 by , 10 years ago
Cc: | added |
---|---|
Priority: | normal → high |
While jlyons210 fix works, it is not a secure solution server-side. RC4 is or will be more of a vulnerability as time passes: https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat The FileZilla client should be fixed to allow other cipher suites for TLS like TLS_RSA_WITH_AES_128_CBC_SHA which is Windows default. While this suite is vulnerable to the BEAST attack, according to the security labs post, this vulnerability is less and less a problem compared to the "weak" RC4.
comment:3 by , 10 years ago
To elaborate, to have a secure SSL/FTP configuration on my IIS 7.5 web server, I had to disable SSL 2.0 and enable TLS 1.1 and 1.2 per security standards. Basically, this broke FileZilla FTPS with the error above. CuteFTP continues to function without issue.
comment:4 by , 10 years ago
Resolution: | → rejected |
---|---|
Status: | new → closed |
It's a fault in your server.
Have a look at this topic for a lengthy discussion: viewtopic.php?f=2&t=27898. Microsoft has issued a hotfix to address this problem: http://support.microsoft.com/kb/2888853
comment:5 by , 10 years ago
Corrected link: https://forum.filezilla-project.org/viewtopic.php?f=2&t=27898
I began experiencing this error when uploading files on IIS 8/Server 2012, and worked around it successfully by moving TLS_RSA_WITH_RC4_128_SHA to the top of the priority list on my FTP server as described in the link below.
http://blogs.msdn.com/b/kaushal/archive/2011/10/03/taming-the-beast-browser-exploit-against-ssl-tls.aspx
It seems like the ideal solution would be a fix to the FileZilla client, so hopefully this steers the devs in the right direction.