Total Commander FTPS error=10050 on TLS only servers

The behaviour described in the bug report is either by design, or would be far too complex/time-consuming to be changed

Moderators: white, Hacker, petermad, Stefan2

onidlo2
Junior Member
Junior Member
Posts: 5
Joined: 2015-10-23, 19:18 UTC

Post by *onidlo2 »

Unfortunatelly, I don't know how to add support for TLS1.1. But it seems, that you are right, this is a list of supported protocols from my server:

SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)

$ openssl ciphers -v | grep TLSv1.1
(returns nothing)
$ openssl ciphers -v | grep TLSv1.2
(returns a lot of ciphers)

This is the default setup for all Debian Jessie installations.

As far as I know, OpenSSL supports TLS 1.2 since version 1.0.1c. It is possible to update Total Commander to support TLSv1.2 too?
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

You will have to find a precompiled OpenSSL dll with TLSv1.2 built in, or recompile the sources from OpenSSL.org yourself.
Author of Total Commander
https://www.ghisler.com
onidlo2
Junior Member
Junior Member
Posts: 5
Joined: 2015-10-23, 19:18 UTC

Post by *onidlo2 »

Hi,

I already use OpenSSL 1.0.2d which supports TLSv1_2. I tried DLL's from:
- https://slproweb.com/products/Win32OpenSSL.html
- https://indy.fulgan.com/SSL/

None of them works with Total Commander and TLSv1_2. Still the same result: "OFFLINE, error=10050" just after USER command.

I checked both DLLs (win openssl.exe provided by slproweb.com) and both of them support TSLv1_2.

WinSCP shows a screen, where I have to confirm self-signed certificate, then it connects and everything runs great. But I like Total Commander and I would like to use it for FTPS too;-))

Image: http://www.vitaj.sk/WinSCP-screen.png
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

It's not a certificate error, TC also accepts self-signed certificates. But maybe the certificate has expired?
Author of Total Commander
https://www.ghisler.com
User avatar
Guillaume
Junior Member
Junior Member
Posts: 90
Joined: 2003-04-08, 16:51 UTC

Post by *Guillaume »

I had the same OFFLINE, error=10050 thing with vsFTPd.

1) For me the solution was not really a logical one, but I had to include

Code: Select all

ssl_ciphers=HIGH
in its configuration file.
ssl_ciphers
This option can be used to select which SSL ciphers vsftpd will allow for encrypted SSL connections. See the ciphers man page for further details. Note that restricting ciphers can be a useful security precaution as it prevents malicious remote parties forcing a cipher which they have found problems with.
Hope it's worth anything and can get you on the right track.

2) Anoter occasion was when I made the chroot directory of the user that logged on writable (which vsFTPd doesn't allow). It wanted to send an ordinary message of this problem, but when the connection is implicitly secured, the message itself is not readable. TC gives you the SSL_get_error, while FileZilla says somehting like "unexpexted TLS packet received".

I'm well aware that this is another server altogether, but it might help you in the right direction somehow. Disclaimer: I read the whole topic a while ago, much has happened since, so I might not exactly be spot on here :P
onidlo2
Junior Member
Junior Member
Posts: 5
Joined: 2015-10-23, 19:18 UTC

Post by *onidlo2 »

ghisler(Author) wrote:It's not a certificate error, TC also accepts self-signed certificates. But maybe the certificate has expired?
Hi ghisler!
No, certificate is ok. I can give you access to the server, if you can debug it...
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

2onidlo2 Could you try user Guillaume's suggestions to fix it? It looks like the server is only offering codecs not supported by OpenSSL.
Author of Total Commander
https://www.ghisler.com
Nakata
Junior Member
Junior Member
Posts: 2
Joined: 2015-11-05, 13:57 UTC

Same problem

Post by *Nakata »

Same problem happened to me after Update From Debian Wheezy to Debian Jessie. Using pureFTPD
Nakata
Junior Member
Junior Member
Posts: 2
Joined: 2015-11-05, 13:57 UTC

Quick solution

Post by *Nakata »

Only solution seems to be enable SSL (vulnerable to Poodle attack). delete file /etc/pure-ftpd/conf/TLSCipherSuite and restart pureFTPD

Your file TLSCipherSuite probably contains ALL:!aNULL:!SSLv3
, which means SSL v3 is disabled

---
Question is , is this really problem of OpenSSL? Filezilla also uses OpenSSL, and TLS connection to pureFTPD works OK
onidlo2
Junior Member
Junior Member
Posts: 5
Joined: 2015-10-23, 19:18 UTC

Re: Quick solution

Post by *onidlo2 »

Hi there,

thank you Nakata, I changed /etc/pure-ftpd/conf/TLSCipherSuite from "ALL:!aNULL:!SSLv3" to "ALL:!aNULL" and now TC can connect. This change means that all SSL version 3.0 ciphers are enabled.
Nakata wrote:Question is , is this really problem of OpenSSL? Filezilla also uses OpenSSL, and TLS connection to pureFTPD works OK
I have the latest OpenSSL libraries and therefore I think it is problem of TC, not OpenSSL.

Regards,
Ondrej
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

Could you send me the name of your server? I don't even need a login user+password, since the problem occurs before logging in.
Author of Total Commander
https://www.ghisler.com
Raziel
Junior Member
Junior Member
Posts: 8
Joined: 2016-01-27, 19:34 UTC
Location: Bucharest, Romania

Post by *Raziel »

It sure is a problem of TC. It doesn't know how to handle TLSv1.2 with "explicit FTP over TLS" connections properly.
When trying to connect to my secured FTP server, it returns:

Code: Select all

[WARNING] Sorry, cleartext sessions are not accepted on this server.#012Please reconnect using SSL/TLS security mechanisms.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

Are you sure you are using explicit FTP over TLS? Explicit means that TC connects in clear text, then sends command
AUTH TLS
and then starts the TLS sesssion.

If it does indeed use explicit mode, then please let me know which command causes this error (see ftp log, Configuration - Options - FTP - Log file).
Author of Total Commander
https://www.ghisler.com
Raziel
Junior Member
Junior Member
Posts: 8
Joined: 2016-01-27, 19:34 UTC
Location: Bucharest, Romania

Post by *Raziel »

Here is the FTP log:
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 4 of 50 allowed.
220-Local time is now 14:06. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
AUTH TLS
234 AUTH TLS OK.
USER xxxxxx
OFFLINE7, error=0
And the response on the server-side:
[WARNING] Sorry, cleartext sessions are not accepted on this server. Please reconnect using SSL/TLS security mechanisms.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

???
After AUTH TLS, a secure connection is established.
Author of Total Commander
https://www.ghisler.com
Post Reply