#5061 closed defect (fixed)
SSL version number incompatibility
Reported by: | lee.norman@… | Owned by: | dkocher |
---|---|---|---|
Priority: | normal | Milestone: | 4.1 |
Component: | ftp-tls | Version: | 3.5.1 |
Severity: | normal | Keywords: | TLS |
Cc: | Architecture: | Intel | |
Platform: | Mac OS X 10.6 |
Description (last modified by dkocher)
- 1/ successfully able to connect to the server via cuteFTP pro mac using FTPS (SSL FTP).
- 2/ Not able to connect using cyberduck FTP-SSL option. When connection is attempted, cyberduck reports unrecognized SSL message.
- 3/ I have uploaded the screen shot of cyberduck and the transcript from cuteFTP pro mac for your verification.
Aug 28 12:18:13 mod_tls/2.4.1[27312]: unable to accept TLS connection: protocol error: (1) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Attachments (4)
Change History (22)
Changed on Jul 20, 2010 at 2:06:58 PM by lee.norman@…
Changed on Jul 20, 2010 at 2:07:27 PM by lee.norman@…
screen shot of failed cyberduck connection to show transcript
comment:1 Changed on Aug 9, 2010 at 1:46:53 PM by dkocher
- Description modified (diff)
- Resolution set to worksforme
- Status changed from new to closed
- Summary changed from Unable to connect via FTP-SSL with explicit AUTH TLS (unrecognized SSL message) to Unrecognized SSL message
After the AUTH TLS we initiate the SSL handshake and expect all responses from the server over SSL.
CuteFTP log:
220 ProFTPD 1.3.3 Server (Xirvik FTP server) [74.63.86.114] AUTH TLS 234 AUTH TLS successful PBSZ 0 200 PBSZ 0 successful PROT P 200 Protection set to Private USER encd16f3 331 Password required for encd16f3 PASS ******** 230 User encd16f3 logged in
Cyberduck Log
220 ProFTPD 1.3.3 Server (Xirvik FTP server) [74.63.86.114] AUTH TLS 234 AUTH TLS successful USER dkocher
comment:2 Changed on Aug 9, 2010 at 1:47:24 PM by dkocher
- Description modified (diff)
comment:4 follow-up: ↓ 5 Changed on Aug 9, 2010 at 1:50:36 PM by dkocher
Updating to ProFTPD 1.3.3a should resolve this issue.
comment:5 in reply to: ↑ 4 Changed on Aug 18, 2010 at 2:11:47 PM by lee.norman@…
Replying to dkocher:
Updating to ProFTPD 1.3.3a should resolve this issue.
Updated. Still the same issue. uploaded new screen shots.
comment:6 follow-up: ↓ 7 Changed on Aug 18, 2010 at 2:19:22 PM by lee.norman@…
- Priority changed from high to normal
- Resolution worksforme deleted
- Status changed from closed to reopened
Changed on Aug 18, 2010 at 2:22:17 PM by lee.norman@…
Still error out after updated to 1.3.3a as suggested by previous resolution.
comment:7 in reply to: ↑ 6 Changed on Aug 24, 2010 at 6:29:57 AM by dkocher
Replying to lee.norman@…:
Can you please post the logging from the ProFTPD server log.
comment:8 Changed on Aug 28, 2010 at 5:28:51 PM by dkocher
Client SSL debug log.
trigger seeding of SecureRandom done seeding SecureRandom Using SSLEngineImpl. %% No cached client session *** ClientHello, TLSv1 RandomCookie: GMT: 1283016458 bytes = { 23, 106, 142, 243, 242, 72, 216, 24, 63, 73, 99, 221, 250, 71, 187, 59, 195, 104, 10, 136, 140, 14, 237, 51, 71, 156, 246, 233 } Session ID: {} Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] Compression Methods: { 0 } *** [write] MD5 and SHA1 hashes: len = 79 0000: 01 00 00 4B 03 01 4C 79 47 0A 17 6A 8E F3 F2 48 ...K..LyG..j...H 0010: D8 18 3F 49 63 DD FA 47 BB 3B C3 68 0A 88 8C 0E ..?Ic..G.;.h.... 0020: ED 33 47 9C F6 E9 00 00 24 00 04 00 05 00 2F 00 .3G.....$...../. 0030: 35 00 33 00 39 00 32 00 38 00 0A 00 16 00 13 00 5.3.9.2.8....... 0040: 09 00 15 00 12 00 03 00 08 00 14 00 11 01 00 ............... pool-1-thread-3, WRITE: TLSv1 Handshake, length = 79 [write] MD5 and SHA1 hashes: len = 107 0000: 01 03 01 00 42 00 00 00 20 00 00 04 01 00 80 00 ....B... ....... 0010: 00 05 00 00 2F 00 00 35 00 00 33 00 00 39 00 00 ..../..5..3..9.. 0020: 32 00 00 38 00 00 0A 07 00 C0 00 00 16 00 00 13 2..8............ 0030: 00 00 09 06 00 40 00 00 15 00 00 12 00 00 03 02 .....@.......... 0040: 00 80 00 00 08 00 00 14 00 00 11 4C 79 47 0A 17 ...........LyG.. 0050: 6A 8E F3 F2 48 D8 18 3F 49 63 DD FA 47 BB 3B C3 j...H..?Ic..G.;. 0060: 68 0A 88 8C 0E ED 33 47 9C F6 E9 h.....3G... pool-1-thread-3, WRITE: SSLv2 client hello message, length = 107 [Raw write]: length = 109 0000: 80 6B 01 03 01 00 42 00 00 00 20 00 00 04 01 00 .k....B... ..... 0010: 80 00 00 05 00 00 2F 00 00 35 00 00 33 00 00 39 ....../..5..3..9 0020: 00 00 32 00 00 38 00 00 0A 07 00 C0 00 00 16 00 ..2..8.......... 0030: 00 13 00 00 09 06 00 40 00 00 15 00 00 12 00 00 .......@........ 0040: 03 02 00 80 00 00 08 00 00 14 00 00 11 4C 79 47 .............LyG 0050: 0A 17 6A 8E F3 F2 48 D8 18 3F 49 63 DD FA 47 BB ..j...H..?Ic..G. 0060: 3B C3 68 0A 88 8C 0E ED 33 47 9C F6 E9 ;.h.....3G... [Raw read]: length = 5 0000: 35 35 30 20 54 550 T pool-1-thread-3, handling exception: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? pool-1-thread-3, SEND TLSv1 ALERT: fatal, description = unexpected_message pool-1-thread-3, WRITE: TLSv1 Alert, length = 2 [Raw write]: length = 7 0000: 15 03 01 00 02 02 0A ....... pool-1-thread-3, called closeSocket() pool-1-thread-3, called close() pool-1-thread-3, called closeInternal(true) 2010-08-28 19:27:38,627 [pool-1-thread-3] ERROR ch.cyberduck.core.ftp.FTPSession - Connection attempt canceled
Changed on Aug 30, 2010 at 12:04:25 PM by lee.norman@…
ftpd log for SSL containing both successful and failed logins
comment:9 Changed on Aug 30, 2010 at 12:09:34 PM by lee.norman@…
hi - uploaded the log, containing both failed FTP TLS and successful ones using different client. This is a sample extract of a failed login attempt:
Aug 28 12:18:09 mod_tls/2.4.1[27312]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable) Aug 28 12:18:12 mod_tls/2.4.1[27312]: TLS/TLS-C requested, starting TLS handshake Aug 28 12:18:13 mod_tls/2.4.1[27312]: unable to accept TLS connection: protocol error: (1) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Aug 28 12:18:13 mod_tls/2.4.1[27312]: TLS/TLS-C negotiation failed on control channel Aug 28 18:47:57 mod_tls/2.4.1[24384]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
This is a successful one:
Aug 30 11:49:16 mod_tls/2.4.1[7767]: Protection set to Private Aug 30 11:49:17 mod_tls/2.4.1[7767]: starting TLS negotiation on data connection Aug 30 11:49:17 mod_tls/2.4.1[7767]: TLSv1/SSLv3 renegotiation accepted, using cipher DHE-RSA-AES256-SHA (256 bits) Aug 30 11:49:17 mod_tls/2.4.1[7767]: TLSv1/SSLv3 data connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
The last entries is using a firefox ftp plugin(!!) via AUTH TLS connection.
comment:10 Changed on Sep 1, 2010 at 1:48:58 PM by dkocher
Can you check the server log for any messages (usually proftpd.log).
comment:11 Changed on Nov 20, 2010 at 6:09:01 PM by dkocher
- Description modified (diff)
- Resolution set to thirdparty
- Status changed from reopened to closed
- Summary changed from Unrecognized SSL message to SSL version number incompatibility
Please check your TLSProtocol setting in the server configuration file to have the value SSLv23.
comment:12 Changed on Nov 20, 2010 at 6:12:21 PM by dkocher
Added reference in wiki to ProFTPd compatibility notes.
comment:13 follow-up: ↓ 14 Changed on Nov 23, 2010 at 7:00:37 AM by lee.norman@…
- Resolution thirdparty deleted
- Status changed from closed to reopened
Hi - Tried and still not able to connect. I am just wonder (in absence of real knowledge) why SSL got much to do with TLS. issue still not resolved.
comment:14 in reply to: ↑ 13 Changed on Nov 23, 2010 at 9:13:00 AM by dkocher
- Milestone set to 4.0
Replying to lee.norman@…:
Hi - Tried and still not able to connect. I am just wonder (in absence of real knowledge) why SSL got much to do with TLS. issue still not resolved.
Please contact your server administrator about the configuration change needed. We are still looking into a resolution here that could work with any configuration.
comment:15 follow-up: ↓ 16 Changed on Nov 23, 2010 at 9:24:46 AM by lee.norman@…
Hi, Just to be sure. The configuration have been changed and I have retested and cyberduck doesn't connect. The change made was setting TLSProtocol to SSLv23. if there is any way that we can make cyberduck connect and transfer encrypted using TLS, love to hear it.
comment:16 in reply to: ↑ 15 Changed on Nov 23, 2010 at 11:34:16 AM by dkocher
Replying to lee.norman@…:
Hi, Just to be sure. The configuration have been changed and I have retested and cyberduck doesn't connect. The change made was setting TLSProtocol to SSLv23. if there is any way that we can make cyberduck connect and transfer encrypted using TLS, love to hear it.
What does the ProFTPd log say?
comment:17 Changed on Nov 23, 2010 at 11:37:28 AM by dkocher
- Resolution set to fixed
- Status changed from reopened to closed
As of r7717 we should be interoperable with the TLSProtocol TLSv1 option. Disabled SSLv2 for all SSL sockets.
comment:18 Changed on Nov 24, 2010 at 5:10:21 PM by dkocher
- Milestone changed from 4.0 to 4.1
- Resolution fixed deleted
- Status changed from closed to reopened
Reverted in r7722.
comment:19 Changed on Nov 28, 2010 at 4:24:04 PM by dkocher
- Resolution set to fixed
- Status changed from reopened to closed
Fix commited in r7792 when running on JRE 6 or later.
cuteftp successful connection transcript