Client cannot connect using Require explicit FTP over TLS

[Vlado]

CLIENT SIDE:

FileZilla Client

---

Version: 3.6.0.1

Build information:

Compiled for: i586-pc-mingw32msvc
Compiled on: x86_64-unknown-linux-gnu
Build date: 2012-11-18
Compiled with: i586-mingw32msvc-gcc (GCC) 4.2.1-sjlj (mingw32-2)
Compiler flags: -g -O2 -Wall -g -fexceptions

Linked against:

wxWidgets: 2.8.12
GnuTLS: 3.1.4
SQLite: 3.7.6.2

Operating system:

Name: Windows XP (build 2600, Service Pack 3)
Version: 5.1
Platform: 32 bit system

SERVER SIDE:

vsftpd-2.2.2-11.el6.i686 on CentOS 6.3 x86 configured with:

tcp_wrappers=YES
pasv_enable=YES
ssl_enable=YES
force_local_logins_ssl=YES
force_local_data_ssl=YES

CLIENT DEBUG LOG:
13:18:36 Trace: CControlSocket::DoClose(64)
13:18:36 Trace: CControlSocket::DoClose(64)
13:18:36 Status: Resolving address of xxx.sk
13:18:36 Status: Connecting to 213.xxx:21...
13:18:36 Status: Connection established, waiting for welcome message...
13:18:36 Trace: CFtpControlSocket::OnReceive()
13:18:36 Response: 220 Welcome to FTP PB service.
13:18:36 Trace: CFtpControlSocket::SendNextCommand()
13:18:36 Command: AUTH TLS
13:18:36 Trace: CFtpControlSocket::OnReceive()
13:18:36 Response: 234 Proceed with negotiation.
13:18:36 Status: Initializing TLS...
13:18:36 Trace: CTlsSocket::Handshake()
13:18:36 Trace: CTlsSocket::ContinueHandshake()
13:18:36 Trace: CTlsSocket::OnSend()
13:18:36 Trace: CTlsSocket::OnRead()
13:18:36 Trace: CTlsSocket::ContinueHandshake()
13:18:37 Trace: CTlsSocket::OnRead()
13:18:37 Trace: CTlsSocket::ContinueHandshake()
13:18:37 Trace: CTlsSocket::Failure(-12, 10053)
13:18:37 Trace: GnuTLS alert 40: Handshake failed
13:18:37 Error: GnuTLS error -12: A TLS fatal alert has been received.
13:18:37 Trace: CRealControlSocket::OnClose(10053)
13:18:37 Trace: CControlSocket::DoClose(64)
13:18:37 Trace: CFtpControlSocket::ResetOperation(66)
13:18:37 Trace: CControlSocket::ResetOperation(66)
13:18:37 Error: Could not connect to server
13:18:37 Trace: CFileZillaEnginePrivate::ResetOperation(66)
13:18:37 Status: Waiting to retry...

SERVER VSFTPD.LOG:
Mon Nov 19 14:05:00 2012 [pid 15066] CONNECT: Client "10.10.102.6"
Mon Nov 19 14:05:00 2012 [pid 15066] FTP response: Client "10.10.102.6", "220 Welcome to FTP PB service."
Mon Nov 19 14:05:00 2012 [pid 15066] FTP command: Client "10.10.102.6", "AUTH TLS"
Mon Nov 19 14:05:00 2012 [pid 15066] FTP response: Client "10.10.102.6", "234 Proceed with negotiation."
Mon Nov 19 14:05:01 2012 [pid 15066] DEBUG: Client "10.10.102.6", "SSL_accept failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher"

HISTORY:
3.6.0.1 - does not connect
3.6.0 - worked fine!
3.5.3 - does not connect
3.5.2 (and older) - worked fine!

ADDITIONAL INFO:
There was no change in server configuration between trying FileZilla Client 3.6.0 and 3.6.0.1 - I tried 3.6.0 this morning and 3.6.0.1 this afternoon.
I have not old VSFTPD.LOG with Client 2.5.3, so I'm not sure if there was same error message "no shared cipher".

[Vlado]

I downgraded to 3.6.0 and added both client-side and server-side logs of successfull connection.

[Vlado]

Problem still remains in 3.6.0.2:

11:27:41 Status: Resolving address of pbmail.coopexsoft.sk
11:27:41 Status: Connecting to 213.....:21...
11:27:41 Status: Connection established, waiting for welcome message...
11:27:41 Response: 220 Welcome to FTP PB service.
11:27:41 Command: AUTH TLS
11:27:41 Response: 234 Proceed with negotiation.
11:27:41 Status: Initializing TLS...
11:27:41 Error: GnuTLS error -12: A TLS fatal alert has been received.
11:27:41 Error: Could not connect to server

I have to downgrade to 3.6.0 again.

[Alexander Schuch]

Weak ciphers are disabled in newer versions FileZilla Client. Can you enable strong ciphers in your FTP server so that client and server can negotiate any of the strong ciphers?

[Alexander Schuch]

This is a duplicate of #7873.