remote ftp ssl access failed
-
@johnpoz the filezilla version is:
3.54.1I have updated to version 3.55 but the result does not change
thanks.
-
@sasa1 I would update, and then turn on detailed logging..
Right click in the log window area
You might want to turn on debug as well
Then your log will look like this
Status: Resolving address of test.rebex.net Status: Connecting to 195.144.107.198:21... Status: Connection established, waiting for welcome message... Trace: CFtpControlSocket::OnReceive() Response: 220 Microsoft FTP Service Trace: CFtpLogonOpData::ParseResponse() in state 1 Trace: CControlSocket::SendNextCommand() Trace: CFtpLogonOpData::Send() in state 2 Command: AUTH TLS Trace: CFtpControlSocket::OnReceive() Response: 234 AUTH command ok. Expecting TLS Negotiation. Trace: CFtpLogonOpData::ParseResponse() in state 2 Status: Initializing TLS... Trace: tls_layer_impl::client_handshake() Trace: tls_layer_impl::continue_handshake() Trace: TLS handshake: About to send CLIENT HELLO Trace: TLS handshake: Sent CLIENT HELLO Trace: tls_layer_impl::on_send() Trace: tls_layer_impl::continue_handshake() Trace: tls_layer_impl::on_read() Trace: tls_layer_impl::continue_handshake() Trace: tls_layer_impl::on_read() Trace: tls_layer_impl::continue_handshake() Trace: tls_layer_impl::on_read() Trace: tls_layer_impl::continue_handshake() Trace: tls_layer_impl::on_read() Trace: tls_layer_impl::continue_handshake() Trace: TLS handshake: Received SERVER HELLO Trace: TLS handshake: Processed SERVER HELLO Trace: TLS handshake: Received CERTIFICATE Trace: TLS handshake: Processed CERTIFICATE Trace: TLS handshake: Received CERTIFICATE STATUS Trace: TLS handshake: Processed CERTIFICATE STATUS Trace: TLS handshake: Received SERVER KEY EXCHANGE Trace: TLS handshake: Processed SERVER KEY EXCHANGE Trace: TLS handshake: Received SERVER HELLO DONE Trace: TLS handshake: Processed SERVER HELLO DONE Trace: TLS handshake: About to send CLIENT KEY EXCHANGE Trace: TLS handshake: Sent CLIENT KEY EXCHANGE Trace: TLS handshake: About to send FINISHED Trace: TLS handshake: Sent FINISHED Trace: tls_layer_impl::on_read() Trace: tls_layer_impl::continue_handshake() Trace: TLS handshake: Received FINISHED Trace: TLS handshake: Processed FINISHED Trace: TLS Handshake successful Trace: Protocol: TLS1.2, Key exchange: ECDHE-SECP521R1-RSA-SHA1, Cipher: AES-256-CBC, MAC: SHA1 Trace: tls_layer_impl::verify_certificate() Status: Verifying certificate... Trace: CFtpControlSocket::SetAsyncRequestReply Status: TLS connection established. Trace: CControlSocket::SendNextCommand() Trace: CFtpLogonOpData::Send() in state 6 Command: USER demo Trace: CFtpControlSocket::OnReceive() Trace: tls_layer_impl::on_read() Trace: CFtpControlSocket::OnReceive() Response: 331 Password required for demo. Trace: CFtpLogonOpData::ParseResponse() in state 6 Trace: CControlSocket::SendNextCommand() Trace: CFtpLogonOpData::Send() in state 6 Command: PASS ******** Trace: tls_layer_impl::on_read() Trace: CFtpControlSocket::OnReceive() Response: 230 User logged in. Trace: CFtpLogonOpData::ParseResponse() in state 6 Trace: CControlSocket::SendNextCommand() Trace: CFtpLogonOpData::Send() in state 10 Command: OPTS UTF8 ON Trace: tls_layer_impl::on_read() Trace: CFtpControlSocket::OnReceive() Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON. Trace: CFtpLogonOpData::ParseResponse() in state 10 Trace: CControlSocket::SendNextCommand() Trace: CFtpLogonOpData::Send() in state 11 Command: PBSZ 0 Trace: tls_layer_impl::on_read() Trace: CFtpControlSocket::OnReceive() Response: 200 PBSZ command successful. Trace: CFtpLogonOpData::ParseResponse() in state 11 Trace: CControlSocket::SendNextCommand() Trace: CFtpLogonOpData::Send() in state 12 Command: PROT P Trace: tls_layer_impl::on_read() Trace: CFtpControlSocket::OnReceive() Response: 200 PROT command successful. Trace: CFtpLogonOpData::ParseResponse() in state 12 Status: Logged in Trace: Measured latency of 128 ms Trace: CFtpControlSocket::ResetOperation(0) Trace: CControlSocket::ResetOperation(0) Trace: CFtpLogonOpData::Reset(0) in state 15 Trace: CFileZillaEnginePrivate::ResetOperation(0) Trace: CControlSocket::SendNextCommand() Trace: CFtpListOpData::Send() in state 0 Status: Retrieving directory listing... Trace: CFtpChangeDirOpData::Send() in state 0 Trace: CFtpChangeDirOpData::Send() in state 1 Command: PWD Trace: tls_layer_impl::on_read() Trace: CFtpControlSocket::OnReceive() Response: 257 "/" is current directory. Trace: CFtpChangeDirOpData::ParseResponse() in state 1 Trace: CFtpControlSocket::ResetOperation(0) Trace: CControlSocket::ResetOperation(0) Trace: CFtpChangeDirOpData::Reset(0) in state 1 Trace: CFtpListOpData::SubcommandResult(0) in state 1 Trace: CControlSocket::SendNextCommand() Trace: CFtpListOpData::Send() in state 2 Trace: CFtpRawTransferOpData::Send() in state 0 Trace: CFtpRawTransferOpData::Send() in state 1 Command: TYPE I Trace: tls_layer_impl::on_read() Trace: CFtpControlSocket::OnReceive() Response: 200 Type set to I. Trace: CFtpRawTransferOpData::ParseResponse() in state 1 Trace: CControlSocket::SendNextCommand() Trace: CFtpRawTransferOpData::Send() in state 2 Command: PASV Trace: tls_layer_impl::on_read() Trace: CFtpControlSocket::OnReceive() Response: 227 Entering Passive Mode (195,144,107,198,4,9). Trace: CFtpRawTransferOpData::ParseResponse() in state 2 Trace: CControlSocket::SendNextCommand() Trace: CFtpRawTransferOpData::Send() in state 4 Trace: Binding data connection source IP to control connection source IP 192.168.9.100 Trace: tls_layer_impl::client_handshake() Trace: Trying to resume existing TLS session. Command: LIST -a Trace: tls_layer_impl::on_read() Trace: CFtpControlSocket::OnReceive() Response: 150 Opening BINARY mode data connection. Trace: CFtpRawTransferOpData::ParseResponse() in state 4 Trace: CControlSocket::SendNextCommand() Trace: CFtpRawTransferOpData::Send() in state 5 Trace: tls_layer_impl::on_send() Trace: tls_layer_impl::continue_handshake() Trace: TLS handshake: About to send CLIENT HELLO Trace: TLS handshake: Sent CLIENT HELLO Trace: tls_layer_impl::on_read() Trace: tls_layer_impl::continue_handshake() Trace: TLS handshake: Received SERVER HELLO Trace: TLS handshake: Processed SERVER HELLO Trace: TLS handshake: Received FINISHED Trace: TLS handshake: Processed FINISHED Trace: TLS handshake: About to send FINISHED Trace: TLS handshake: Sent FINISHED Trace: TLS Handshake successful Trace: TLS Session resumed Trace: Protocol: TLS1.2, Key exchange: ECDHE-SECP521R1, Cipher: AES-256-CBC, MAC: SHA1 Trace: tls_layer_impl::verify_certificate() Trace: CTransferSocket::OnConnect Trace: CTransferSocket::OnReceive(), m_transferMode=0 Trace: tls_layer_impl::on_read() Trace: CTransferSocket::OnReceive(), m_transferMode=0 Trace: CTransferSocket::TransferEnd(1) Trace: tls_layer_impl::shutdown() Trace: tls_layer_impl::continue_shutdown() Trace: CFtpControlSocket::TransferEnd() Trace: tls_layer_impl::on_read() Trace: CFtpControlSocket::OnReceive() Response: 226 Transfer complete. Trace: CFtpRawTransferOpData::ParseResponse() in state 7 Trace: CFtpControlSocket::ResetOperation(0) Trace: CControlSocket::ResetOperation(0) Trace: CFtpRawTransferOpData::Reset(0) in state 7 Trace: CFtpListOpData::SubcommandResult(0) in state 3 Trace: CFtpControlSocket::ResetOperation(0) Trace: CControlSocket::ResetOperation(0) Trace: CFtpListOpData::Reset(0) in state 3 Status: Directory listing of "/" successful Trace: CFileZillaEnginePrivate::ResetOperation(0)Which will show us more info about the TLS exchange..
You could also try clearing your cached certs? If your on windows that would be here "%APPDATA%\FileZilla"
There is a trustedcerts.xml file.
Once you have cleared the certs - you should see popup like I showed in my connections with details of the cert they are presenting you.
-
@johnpoz I deleted the trustedcerts.xml file, enabled verbose logging and debugging.
I attach files with the errors received.
Thanks.
debug 4.txt -
Looks like you never got the hello back..
Traccia: tls_layer_impl::client_handshake() Traccia: tls_layer_impl::continue_handshake() Traccia: TLS handshake: About to send CLIENT HELLO Traccia: TLS handshake: Sent CLIENT HELLO Traccia: tls_layer_impl::on_send() Traccia: tls_layer_impl::continue_handshake() Traccia: tls_layer_impl::on_read() Traccia: tls_layer_impl::continue_handshake() Traccia: tls_layer_impl::on_read() Traccia: tls_layer_impl::continue_handshake() Traccia: tls_layer_impl::failure(-110)Maybe you could update your timeout? I believe it defaults to 60 seconds.. Maybe yours is lower, or you could say up it to 120 seconds? The way I read that is you never got the answer back from the client hello - server hello..
For sanity shake you could sniff on pfsense wan when you try it.. You should be able to see what is sent and gotten back.. But yeah never going to get far if you never get the server hello back to work out the handshake..
Are you doing any sort of vpn on pfsense, do you have multiple wan connections? Anything like that?
-
@johnpoz I took the timed-out to 120 seconds but to no avail.
yes there is an active vpn with openswan.I disabled the vpn but unfortunately the result does not change
Thanks.
-
Could you route your connection to this ftps server around that vpn..
If you capture your traffic and disable the ftp decode wireshark will do on it - you can then view the tls info.. So example here sniff via a connection... You can see my client hello and then the server hello..
-
@johnpoz I disabled the vpn connection and removed the rules related to the vpn but unfortunately the problem remains the same.
Thanks. -
Well if they don't send you a server hello - then no you would not be able to connect.
A sniff will show you what pfsense sees on its wan in return.. There would be no reason pfsense would not send this traffic to your client if it actually got it..
-
@johnpoz do i have to use wireshark or can i use logs generated by pfsense?
thanks. -
No you sniff with pfsense (diagnostic packet capture) - its just the log they show in that output even with full info set is going to be hard to read.. Just do the sniff and then download it and open it with wireshark.. Makes it much easier to view/read/understand, etc.
You can set it to only capture the IP of the ftps server.. 195.144.107.198 so its not all that big.. And has only the data your interested in vs all the other traffic that flowing.
You will have to tell wireshark not to decode it as ftp - which is what it will most likely auto do.. Then it would look like this..
What your interested in is the tls stuff - so telling wireshark not to decode as ftp will make it easier to see the tls stuff..
The view the package capture ok depending on what specific your looking for - but for something like this download the capture and use your fav network analyzer.. Unless you think you could make heads or talls of this ;)
-
This post is deleted! -
-
That is not the wan.. Do the packet capture on pfsense.. Just download it to view in wireshark..
And I showed you exactly how to disable the ftp decode wireshark is doing..
But even that can see 195.x sending you a FIN... Closing the session..
-
@johnpoz I have installed wireshark on the server where I use Filezilla, from this server can I connect wireshark to control the pfsense WAN traffic or do I have to install wireshark on pfsense?
Thanks. -
Dude look at the picture I posted... You can do the packet capture right on pfsense... Then just download the pcap and open it with wireshark on any machine you want..
see the post from above
in pfsense here
-
@johnpoz now I followed your instructions, in pfsense I captured the packages, I downloaded the file which I then opened in whireshark, I attach the result.
Thanks.
-
I don't see you sending client hello there, your sending fin,ack - means done with this conversation.
-
@johnpoz in Filezilla I try the ftp connection and the exchanged packets are the ones I sent you, I also tried from another PC and the result is the same.
What can I try?
thank you -
Well if your client is not sending hello, and just closing the connection.. That is on the client.
Can you post up packet capture from your test machine.. This will only have your local IP and the servers IP in, so I can take a look and compare to mine.. As you saw in my sniff client hello is sent.. Your log shows sent, but its not what the sniff shows.
You should be able to attach your sniff, or post it else where and let me know the link, etc.
-
