3.0 beta 1: cannot connect using FTP with Explicit SSL

Discussion of bugs and problems found in Altap Salamander. In your reports, please be as descriptive as possible, and report one incident per report. Do not post crash reports here, send us the generated bug report by email instead, please.
DDD
Posts: 6
Joined: 15 Jan 2013, 19:15

3.0 beta 1: cannot connect using FTP with Explicit SSL

Post by DDD »

Hello,

I am unable to connect to my server using FTP with Explicit SSL. I am getting this:
Unable to establish encrypted connection (SSL).
Error: SSL_connect returned 1: error:00000001:lib(0):func(0):reason(1)
I have tried both x86 and x64 versions of Salamander and I even tried replacing Salamander's OpenSSL libraries with their newest version, to no avail.

I have created a test account for you to try it out:
ftp://34695.w95.wedos.net
user: w34695_test
password: jGJWNgQ8

http://kb.wedos.com/problemy-ftp.html
Could one of these problems be the reason?
Jan Rysavy
ALTAP Staff
ALTAP Staff
Posts: 5229
Joined: 08 Dec 2005, 06:34
Location: Novy Bor, Czech Republic
Contact:

Re: 3.0 beta 1: cannot connect using FTP with Explicit SSL

Post by Jan Rysavy »

I'm unable to reproduce this problem, please see attached screenshot.

Could it be some problem with your firewall or internet connection?
Attachments
ftp.png
ftp.png (32.85 KiB) Viewed 21057 times
User avatar
Ether
Posts: 1471
Joined: 10 May 2007, 16:08
Location: Czech Republic
Contact:

Re: 3.0 beta 1: cannot connect using FTP with Explicit SSL

Post by Ether »

I can confirm this problem with the same error message when I enable encrytion. I compiled this URL for easier testing: ftps://w34695_test:jGJWNgQ8@34695.w95.wedos.net

This is the communication as captured with Wireshark:
server wrote:220 (vsFTPd 2.2.2)
Salamander wrote:AUTH TLS
server wrote:234 Proceed with negotiation.
Salamander wrote:...........P.....D...y.....X.X...............\...
.9.8.........5...........
...
.....3.2.....E.D...../...A.................................
server wrote:.......(500 OOPS: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
500 OOPS: child died
Ελληνικά rulez.
User avatar
Ether
Posts: 1471
Joined: 10 May 2007, 16:08
Location: Czech Republic
Contact:

Re: 3.0 beta 1: cannot connect using FTP with Explicit SSL

Post by Ether »

FileZilla can connect successfully. Here are hex dumps of the client negotiations (the part after 234 Proceed with negotiation.):
Salamander wrote:

Code: Select all

0000000A  16 03 00 00 87 01 00 00  83 03 00 50 f6 b8 5c 5e ........ ...P..\^
0000001A  e3 d6 9d ab 3b 5f b7 61  7c bf 49 66 4e 36 04 08 ....;_.a |.IfN6..
0000002A  d2 3f 36 03 a4 c3 b1 c7  48 c1 7e 00 00 5c c0 14 .?6..... H.~..\..
0000003A  c0 0a 00 39 00 38 00 88  00 87 c0 0f c0 05 00 35 ...9.8.. .......5
0000004A  00 84 c0 12 c0 08 00 16  00 13 c0 0d c0 03 00 0a ........ ........
0000005A  c0 13 c0 09 00 33 00 32  00 9a 00 99 00 45 00 44 .....3.2 .....E.D
0000006A  c0 0e c0 04 00 2f 00 96  00 41 00 07 c0 11 c0 07 ...../.. .A......
0000007A  c0 0c c0 02 00 05 00 04  00 15 00 12 00 09 00 14 ........ ........
0000008A  00 11 00 08 00 06 00 03  00 ff 01 00             ........ ....
FileZilla wrote:

Code: Select all

0000000A  16 03 00 00 a9 01 00 00  a5 03 03 50 f6 b7 7c 8f ........ ...P..|.
0000001A  8d ad ed e4 bd 6a f7 b1  74 b8 2d f6 dd d1 8b e0 .....j.. t.-.....
0000002A  90 ae 8d 33 c0 7f fa 1c  a9 69 51 00 00 44 c0 24 ...3.... .iQ..D.$
0000003A  c0 0a c0 2c c0 23 c0 09  c0 2b c0 14 c0 30 c0 27 ...,.#.. .+...0.'
0000004A  c0 13 c0 2f 00 6b 00 39  00 88 00 67 00 33 00 45 .../.k.9 ...g.3.E
0000005A  00 9e 00 6a 00 38 00 87  00 40 00 32 00 44 00 a2 ...j.8.. .@.2.D..
0000006A  00 66 00 3d 00 35 00 84  00 3c 00 2f 00 41 00 9c .f.=.5.. .<./.A..
0000007A  00 05 01 00 00 38 00 05  00 05 01 00 00 00 00 ff .....8.. ........
0000008A  01 00 01 00 00 23 00 00  00 0a 00 08 00 06 00 18 .....#.. ........
0000009A  00 19 00 17 00 0b 00 02  01 00 00 0d 00 10 00 0e ........ ........
000000AA  05 01 05 03 06 01 06 03  04 01 04 02 04 03       ........ ......
Ελληνικά rulez.
Jan Rysavy
ALTAP Staff
ALTAP Staff
Posts: 5229
Joined: 08 Dec 2005, 06:34
Location: Novy Bor, Czech Republic
Contact:

Re: 3.0 beta 1: cannot connect using FTP with Explicit SSL

Post by Jan Rysavy »

You are right, I missed the SSL option in FTP plugin configuration! I can reproduce it now.
Jan Rysavy
ALTAP Staff
ALTAP Staff
Posts: 5229
Joined: 08 Dec 2005, 06:34
Location: Novy Bor, Czech Republic
Contact:

Re: 3.0 beta 1: cannot connect using FTP with Explicit SSL

Post by Jan Rysavy »

FileZilla is displaying following confirmation dialog box:
Attachments
cert_confirmation.png
cert_confirmation.png (50.95 KiB) Viewed 21029 times
Jan Rysavy
ALTAP Staff
ALTAP Staff
Posts: 5229
Joined: 08 Dec 2005, 06:34
Location: Novy Bor, Czech Republic
Contact:

Re: 3.0 beta 1: cannot connect using FTP with Explicit SSL

Post by Jan Rysavy »

Another test with SSL enabled build of CURL ( http://curl.haxx.se/latest.cgi?curl=win64-ssl-sspi )

Code: Select all

curl --ssl-reqd --verbose ftp://w34695_test:jGJWNgQ8@34695.w95.wedos.net/textfile.txt

Code: Select all

* About to connect() to 34695.w95.wedos.net port 21 (#0)
*   Trying 46.28.105.76... connected
< 220 (vsFTPd 2.2.2)
> AUTH SSL
< 234 Proceed with negotiation.
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html


curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
Jan Rysavy
ALTAP Staff
ALTAP Staff
Posts: 5229
Joined: 08 Dec 2005, 06:34
Location: Novy Bor, Czech Republic
Contact:

Re: 3.0 beta 1: cannot connect using FTP with Explicit SSL

Post by Jan Rysavy »

DDD
Posts: 6
Joined: 15 Jan 2013, 19:15

Re: 3.0 beta 1: cannot connect using FTP with Explicit SSL

Post by DDD »

Jan Rysavy wrote:Another test with SSL enabled build of CURL
cURL does not come with any trusted certificates by default (and does not use Windows cert repository). In this case, the certificate chain is WEDOS -> StartCom Class 2 Primary Intermediate Server CA -> StartCom Certification Authority. You need to supply the last two certificates to cURL. I have created the needed bundle: ftp://w34695_test:jGJWNgQ8@34695.w95.we ... bundle.crt. If you run curl with this file in curl's directory (or maybe working directory), it will work:
D:\Downloads\curl-7.28.1>dir /B
curl-ca-bundle.crt
curl.exe

D:\Downloads\curl-7.28.1>curl -u w34695_test:jGJWNgQ8 --ssl-reqd ftp://34695.w95.wedos.net/textfile.txt
test text file
test text file
test text file
test text file
Or just skip certificate verification altogether using the -k option. I do not think the problem concerns verifying the certificate - if I understand correctly, the Salamander ftp plugin simply asks whether to accept an unkown certificate (like FileZilla does). It works correctly with my local FileZilla server with self-signed certificate.
Jan Rysavy
ALTAP Staff
ALTAP Staff
Posts: 5229
Joined: 08 Dec 2005, 06:34
Location: Novy Bor, Czech Republic
Contact:

Re: 3.0 beta 1: cannot connect using FTP with Explicit SSL

Post by Jan Rysavy »

Salamander FTP plugin is using Windows API to validate certificate. When certificate doesn't pass validation, confirmation is displayed.
( Address: ftp.secureftp-test.com Login: test Password: test )
server_identity_problem.png
server_identity_problem.png (20.56 KiB) Viewed 20996 times
You can test SSL connection to kmlinux.fjfi.cvut.cz - you should not receive any certificate confirmation.
valid.png
valid.png (11.19 KiB) Viewed 20993 times
User avatar
Ether
Posts: 1471
Joined: 10 May 2007, 16:08
Location: Czech Republic
Contact:

Re: 3.0 beta 1: cannot connect using FTP with Explicit SSL

Post by Ether »

IMO the problem is in the ClientHello and ServerHello parts of TLS negotiation, which comes before any certificate validation. When I tried passing different protocol options to openssl s_client -showcerts -connect 34695.w95.wedos.net:21 -starttls ftp -debug, it seemed that -ssl3 and -ssl2 cause the same error, while -tls1 (possibly the default) connects successfully.

Unfortunately, I don't know what API options those parameters translate into. It can probably be determined by reading the source code or debug-stepping or API hooking. I haven't had success with the latter (my openssl.exe is apparently statically linked, FileZilla too) and don't have much time at this moment to do any of the first two. If there's a tool to dissect the TLS negotiation data (see my hex dumps above), it could help, too.
Ελληνικά rulez.
DDD
Posts: 6
Joined: 15 Jan 2013, 19:15

Re: 3.0 beta 1: cannot connect using FTP with Explicit SSL

Post by DDD »

Yes,
openssl s_client -CAfile curl-ca-bundle.crt -connect 34695.w95.wedos.net:21 -starttls ftp
works perfectly and validates the certificates.
openssl s_client -CAfile curl-ca-bundle.crt -connect 34695.w95.wedos.net:21 -starttls ftp -ssl3
returns:
3160:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:.\ssl\s3_pkt.c:1251:SSL alert number 40
3160:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:592:
openssl s_client -CAfile curl-ca-bundle.crt -connect 34695.w95.wedos.net:21 -starttls ftp -ssl2
returns:
write:errno=10054
Do these translate to the error in Salamander? Salamander fails at SSL_connect.
Jan Rysavy
ALTAP Staff
ALTAP Staff
Posts: 5229
Joined: 08 Dec 2005, 06:34
Location: Novy Bor, Czech Republic
Contact:

Re: 3.0 beta 1: cannot connect using FTP with Explicit SSL

Post by Jan Rysavy »

Yes, we are receiving following output from OpenSSL library when opening SSL session with SSLv3_client_method():

Code: Select all

SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read server hello A
After switch to SSLv23_client_method():

Code: Select all

SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
The problem seems to be fixed. SSL 2.0 protocol has security flaws and we will disable it.

Unfortunately there is another problem with this WEDOS server:

Code: Select all

Unable to read the whole list of files and directories from server. The list displayed in panel can be incomplete.

Server reply: 522 SSL connection failed; session reuse required: see require_ssl_reuse option in vsftpd.conf man page
I'm opening a new bug for this problem: http://forum.altap.cz/viewtopic.php?f=2&t=6673

Original problem is fixed, thank you for help!
Post Reply