Total Commander FTPS error=10050 on TLS only servers

The behaviour described in the bug report is either by design, or would be far too complex/time-consuming to be changed

Moderators: white, Hacker, petermad, Stefan2

Spacedust
Junior Member
Junior Member
Posts: 2
Joined: 2014-11-16, 19:16 UTC

Total Commander FTPS error=10050 on TLS only servers

Post by *Spacedust »

I'm trying to connect to my dedicated servers using FTPS.

Since discovering the Poodlebleed Bug I had to disable SSL support on my server and use TLS only.

Now when I try to use FTPS I got such error:

Code: Select all

220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 4 of 5000 allowed.
220-Local time is now 20:18. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
AUTH TLS
234 AUTH TLS OK.
USER admin2
OFFLINE7, error=10050
If using WinSCP and TLS only mode then I'm able to connect.[/code]
User avatar
sqa_wizard
Power Member
Power Member
Posts: 3854
Joined: 2003-02-06, 11:41 UTC
Location: Germany

Post by *sqa_wizard »

OFFLINE7, error=10050
May this is related to the used password, which has a special letter.
Check to use another password without this letter.
(e.g. "$" is a suspicious one)
#5767 Personal license
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

This is odd, error 10050 is defined as follows:
WSAENETDOWN 10050 - Network is down. A socket operation encountered a dead network. This could indicate a serious failure of the network system (that is, the protocol stack that the Windows Sockets DLL runs over), the network interface, or the local network itself.

It could be a firewall blocking the sending of the password.
Author of Total Commander
https://www.ghisler.com
Spacedust
Junior Member
Junior Member
Posts: 2
Joined: 2014-11-16, 19:16 UTC

Post by *Spacedust »

No firewall despite Windows one and no special letters in my password. It works just fine for normal FTP (without SSL).

Please note it happens right after typing username (admin) - even no password prompt is being shown.

My server options are like these:

Code: Select all

service ftp
{
        disable = no
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/pure-ftpd
        server_args     = -A -c5000 -C8 -D -fftp  -H -I15 -lpuredb:/etc/pure-ftpd/pureftpd.pdb -lunix -L10000:8 -m4 -s -p30000:50000 -U133:022 -u100 -E -Oclf:/var/log/pureftpd.log -g/var/run/pure-ftpd.pid -k99 -Z -Y 1 -J HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3
        groups          = yes
        flags           = REUSE
}
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

Could you create a read only test account for me? Just put a single text file in the root, so I can see whether the login worked or not.
Author of Total Commander
https://www.ghisler.com
neil77
Junior Member
Junior Member
Posts: 4
Joined: 2015-09-17, 07:12 UTC

Post by *neil77 »

Debian GNU/Linux 8.1 (jessie):
cat /etc/pure-ftpd/conf/TLSCipherSuite
ALL:!aNULL:!SSLv3

with SSLv3 FTP is working and program will ask for a certificate
only example
rm /etc/pure-ftpd/conf/TLSCipherSuite
then pure-ftpd runs with default parameters (with SSL3 :?)

I could create for you account for testing
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

2neil77
How does the FTP log from Total Commander look? You can enable it via Configuration - Options - FTP.
Author of Total Commander
https://www.ghisler.com
neil77
Junior Member
Junior Member
Posts: 4
Joined: 2015-09-17, 07:12 UTC

Post by *neil77 »

----------
SSL: Libraries loaded OK! C:\Windows\system32\libeay32.dll
Connect to: (2015-09-17 16:08:19)
hostname=192.168.1.40
username=
startdir=
192.168.1.40=192.168.1.40
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 16:08. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
AUTH TLS
234 AUTH TLS OK.
USER jacek
OFFLINE7, error=10050
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

It looks like the TLS handshake works (no error from openssl libraries), but you are immediately logged out by the server.
Author of Total Commander
https://www.ghisler.com
neil77
Junior Member
Junior Member
Posts: 4
Joined: 2015-09-17, 07:12 UTC

Post by *neil77 »

TC:
Sep 17 18:36:10 studio pure-ftpd: (?@192.168.1.100) [INFO] New connection from 192.168.1.100
Sep 17 18:36:10 studio pure-ftpd: (?@192.168.1.100) [DEBUG] Command [auth] [TLS]
Sep 17 18:36:10 studio pure-ftpd: (?@192.168.1.100) [WARNING] Sorry, cleartext sessions are not accepted on this server.#012Please reconnect using SSL/TLS security mechanisms.

WINSCP : FTP+TLS_ONLY
Sep 17 18:52:22 studio pure-ftpd: (?@192.168.1.100) [INFO] New connection from 192.168.1.100
Sep 17 18:52:22 studio pure-ftpd: (?@192.168.1.100) [DEBUG] Command [auth] [TLS]
Sep 17 18:52:22 studio pure-ftpd: (?@192.168.1.100) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with DHE-RSA-AES256-GCM-SHA384, 256 secret bits cipher
Sep 17 18:52:22 studio pure-ftpd: (?@192.168.1.100) [DEBUG] Command [user] [jacek]
Sep 17 18:52:26 studio pure-ftpd: (?@192.168.1.100) [DEBUG] Command [pass] [<*>]
Sep 17 18:52:26 studio pure-ftpd: (?@192.168.1.100) [INFO] PAM_RHOST enabled. Getting the peer address
Sep 17 18:52:26 studio pure-ftpd: (?@192.168.1.100) [INFO] jacek is now logged in
Sep 17 18:52:26 studio pure-ftpd: (jacek@192.168.1.100) [DEBUG] Command [syst] []
Sep 17 18:52:26 studio pure-ftpd: (jacek@192.168.1.100) [DEBUG] Command [feat] []
Sep 17 18:52:26 studio pure-ftpd: (jacek@192.168.1.100) [DEBUG] Command [opts] [UTF8 ON]
Sep 17 18:52:26 studio pure-ftpd: (jacek@192.168.1.100) [DEBUG] Command [pbsz] [0]
Sep 17 18:52:26 studio pure-ftpd: (jacek@192.168.1.100) [DEBUG] Command [prot] [P]
Sep 17 18:52:26 studio pure-ftpd: (jacek@192.168.1.100) [DEBUG] Command [pwd] []
Sep 17 18:52:26 studio pure-ftpd: (jacek@192.168.1.100) [DEBUG] Command [cwd] [/]
Sep 17 18:52:26 studio pure-ftpd: (jacek@192.168.1.100) [DEBUG] Command [pwd] []
Sep 17 18:52:27 studio pure-ftpd: (jacek@192.168.1.100) [DEBUG] Command [type] [A]
Sep 17 18:52:27 studio pure-ftpd: (jacek@192.168.1.100) [DEBUG] Command [pasv] []
Sep 17 18:52:27 studio pure-ftpd: (jacek@192.168.1.100) [DEBUG] Command [mlsd] []
Sep 17 18:52:27 studio pure-ftpd: (jacek@192.168.1.100) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with DHE-RSA-AES256-GCM-SHA384, 256 secret bits cipher

LOCAL:
$openssl s_client -starttls ftp -crlf -tls1_2 -connect localhost:21
CONNECTED(00000003)
depth=0 C = PL, ST = studio.foo.pl, O = studio.foo.pl, CN = studio.foo.pl
verify error:num=18:self signed certificate
verify return:1
depth=0 C = PL, ST = studio.foo.pl, O = studio.foo.pl, CN = studio.foo.pl
verify return:1
---
Certificate chain
0 s:/C=PL/ST=studio.foo.pl/O=studio.foo.pl/CN=studio.foo.pl
i:/C=PL/ST=studio.foo.pl/O=studio.foo.pl/CN=studio.foo.pl
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDlTCCAn2gAw___CUT___
-----END CERTIFICATE-----
subject=/C=PL/ST=studio.foo.pl/O=studio.foo.pl/CN=studio.foo.pl
issuer=/C=PL/ST=studio.foo.pl/O=studio.foo.pl/CN=studio.foo.pl
---
No client certificate CA names sent
---
SSL handshake has read 2104 bytes and written 495 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: 8E35F5BF7EE56913B73CA47D962C5E9E51F7DF38EF480383B3900B9FC7854382
Session-ID-ctx:
Master-Key: E08AA99A37EC9E7877FF760FEBE1E347703EA919B6F7017365A6CEA3500A074646EF164F83F98C7B2688D9C6E3820396
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 3600 (seconds)
TLS session ticket:
0000 - 15 f9 00 cd 1c cc 38 1f-d8 e9 80 95 a3 df 32 8d ......8.......2.
___CUT___
Start Time: 1442508838
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
220 You will be disconnected after 15 minutes of inactivity.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

Sorry, cleartext sessions are not accepted on this server.#012Please reconnect using SSL/TLS security mechanisms.
Apparently the server does not support explicit SSL (AUTH TLS command), only implicit (direct SSL connection). Normally TC can recognize this automatically. Try setting it manually.

wcx_ftp.ini section of the connection, add
SpecialFlags=1
Author of Total Commander
https://www.ghisler.com
neil77
Junior Member
Junior Member
Posts: 4
Joined: 2015-09-17, 07:12 UTC

SpecialFlags=1

Post by *neil77 »

Connect to: (2015-09-21 11:54:41)
hostname=192.168.1.40
username=
startdir=
192.168.1.40=192.168.1.40
SSL_read returned -1, SSL_get_error=1


SERVER:
- Debian GNU/Linux 8.2 (jessie)
- pure-ftpd 1.0.36-3.2
$ cat /etc/pure-ftpd/conf/TLS
1
$ cat /etc/pure-ftpd/conf/TLSCipherSuite
ALL:!aNULL:!SSLv3

Of course with +SSLv3 TC is working...
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

SSL_get_error=1 is SSL_ERROR_SSL, which means some kind of error in SSL/TLS negotiation. TC would have to call ERR_get_error() to get more information on the specific SSL error. The error means that OpenSSL couldn't establish an SSL connection to your server, difficult to say what is wrong.
Author of Total Commander
https://www.ghisler.com
onidlo2
Junior Member
Junior Member
Posts: 5
Joined: 2015-10-23, 19:18 UTC

Post by *onidlo2 »

Hi!

I have the same problem. I cannot connect to PureFTPd server (after upgrading from Debian Wheezy to Jessie) from Total Commander.

I can connect from WinSCP or lftp (command line linux client). WinSCP asks me to confirm certificate, Total Commander does not.

Everything worked perfectly until I upgraded to latest Debian.
Do you know why?
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

It could be due to the missing TLSv1.2 support in OpenSSL. If you can, allow TLSv1.1 on the server.
Author of Total Commander
https://www.ghisler.com
Post Reply