FTPS Socket Closed While Negotiation In Progress

0 votes
asked Nov 1, 2016 by mcook_systemax (120 points)

We have a requirement from a client to start using FTPS instead of FTP in one of our applications. Two weeks ago I downloaded the trial version of the Rebex FTP component, added it to my program, and everything was working perfectly.

We are ready to implement the new version, so I upgraded to the full version of the control, updated the references in my project and rebuilt, and now my FTPS connection is getting closed as soon as I try to secure it.

To make sure it wasn't something in my code, I ran the sample WinForms app, and it's giving the same error. Here is the log from the sample app:

Welcome to Rebex FTP!
08:18:16.217 Info Info: Connecting to xx.xx.xxx.xxx:21 using Ftp 4.0.6083.0.
08:18:16.219 Info Info: Using proxy none.
08:18:16.271 Debug Info: Connection succeeded.
08:18:16.309 Verbose Info: Received data over control connection: 
 0000 |32-32-30-20-4D-69-63-72 6F-73-6F-66-74-20-46-54| 220 Microsoft FT
 0010 |50-20-53-65-72-76-69-63 65-0D-0A               | P Service..
08:18:16.321 Info Response: 220 Microsoft FTP Service
08:18:16.338 Verbose Info: Sent data over control connection: 
 0000 |41-55-54-48-20-54-4C-53 0D-0A                  | AUTH TLS..
08:18:16.340 Info Command: AUTH TLS
08:18:16.365 Verbose Info: Received data over control connection: 
 0000 |32-33-34-20-41-55-54-48 20-63-6F-6D-6D-61-6E-64| 234 AUTH command
 0010 |20-6F-6B-2E-20-45-78-70 65-63-74-69-6E-67-20-54|  ok. Expecting T
 0020 |4C-53-20-4E-65-67-6F-74 69-61-74-69-6F-6E-2E-0D| LS Negotiation..
 0030 |0A                                             | .
08:18:16.368 Info Response: 234 AUTH command ok. Expecting TLS Negotiation.
08:18:16.372 Debug Info: Upgrading control connection to TLS/SSL.
08:18:16.407 Verbose TLS: Sent TLS packet: 
 0000 |16-03-03-00-85-01-00-00 81-03-03-58-18-88-08-47| ...........X...G
 0010 |94-0C-5F-8C-6F-B3-48-C0 BA-AC-95-33-AF-4D-82-F0| .._.o.H....3.M..
 0020 |BE-4D-93-BE-36-68-95-CC 03-5B-C9-00-00-32-00-6B| .M..6h...[...2.k
 0030 |00-67-00-3D-00-3C-00-6A 00-40-00-33-00-39-00-2F| .g.=.<.j.@.3.9./
 0040 |00-35-00-32-00-38-00-16 00-0A-00-13-00-05-00-04| .5.2.8..........
 0050 |00-66-00-15-00-09-00-12 00-62-00-64-00-63-00-65| .f.......b.d.c.e
 0060 |01-00-00-26-00-00-00-12 00-10-00-00-0D-31-30-2E| ...&.........10.
 0070 |34-38-2E-32-34-33-2E-31 32-34-00-0D-00-0C-00-0A| 48.243.124......
 0080 |06-01-05-01-04-01-02-01 02-02                  | ..........
08:18:16.412 Info TLS: State StateChange:Negotiating
08:18:16.414 Debug TLS: HandshakeMessage:ClientHello was sent.
08:18:16.444 Debug TLS: TLS socket was closed, 0 bytes of data were received.
08:18:16.446 Info TLS: State StateChange:Closed
08:18:16.447 Debug TLS: TLS socket closed while negotiation was in progress.
08:18:16.450 Debug TLS: Closing TLS socket.
08:18:16.461 Error Info: Rebex.Net.TlsException: Connection was closed by the remote connection end. ---> Rebex.Net.TlsException: Connection was closed by the remote connection end.
   at Rebex.Net.MBG.IC()
   at Rebex.Net.TlsSocket.Negotiate()
   at Rebex.Net.KFG.PW(TlsParameters U)
   at Rebex.Net.Ftp.EE(TlsParameters U, FtpSecureUpgradeType W)
   at Rebex.Net.Ftp.NV(String U, Int32 W, TlsParameters C, SslMode Q, FtpSecureUpgradeType J)
   --- End of inner exception stack trace ---
   at Rebex.Net.Ftp.NV(String U, Int32 W, TlsParameters C, SslMode Q, FtpSecureUpgradeType J)
* Rebex.Net.TlsException: Connection was closed by the remote connection end. ---> Rebex.Net.TlsException: Connection was closed by the remote connection end.
   at Rebex.Net.MBG.IC()
   at Rebex.Net.TlsSocket.Negotiate()
   at Rebex.Net.KFG.PW(TlsParameters U)
   at Rebex.Net.Ftp.EE(TlsParameters U, FtpSecureUpgradeType W)
   at Rebex.Net.Ftp.NV(String U, Int32 W, TlsParameters C, SslMode Q, FtpSecureUpgradeType J)
   --- End of inner exception stack trace ---
   at Rebex.Net.Ftp.NV(String U, Int32 W, TlsParameters C, SslMode Q, FtpSecureUpgradeType J)
   at Rebex.Net.Ftp.KD(Object U, Enum W, Object[] C)
   at Rebex.BQG.WW(Object U)
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
   at Rebex.Samples.MainForm.<btnConnect_Click>d__7.MoveNext()

I have tried to rule out everything I could think of by accepting any certificate, and allowing all protocols and ciphers, but I get the same error regardless.

To make sure it's not a server configuration error (which hasn't changed since I tested the trail version 2 weeks ago) I tried connecting with filezilla and had no issues. Here's that log:

2016-10-31 12:03:42 9364 1 Status: Connecting to xx.xx.xxx.xxx:21...
2016-10-31 12:03:43 9364 1 Status: Connection established, waiting for welcome message...
2016-10-31 12:03:43 9364 1 Response: 220 Microsoft FTP Service
2016-10-31 12:03:43 9364 1 Command: AUTH TLS
2016-10-31 12:03:43 9364 1 Response: 234 AUTH command ok. Expecting TLS Negotiation.
2016-10-31 12:03:43 9364 1 Status: Initializing TLS...
2016-10-31 12:03:43 9364 1 Status: Verifying certificate...
2016-10-31 12:03:43 9364 1 Status: TLS connection established.
2016-10-31 12:03:43 9364 1 Command: USER *********
2016-10-31 12:03:43 9364 1 Response: 331 Password required
2016-10-31 12:03:43 9364 1 Command: PASS *********
2016-10-31 12:03:43 9364 1 Response: 230 User logged in.
2016-10-31 12:03:43 9364 1 Command: SYST
2016-10-31 12:03:43 9364 1 Response: 215 Windows_NT
2016-10-31 12:03:43 9364 1 Command: FEAT
2016-10-31 12:03:43 9364 1 Response: 211-Extended features supported:
2016-10-31 12:03:43 9364 1 Response:  LANG EN*
2016-10-31 12:03:43 9364 1 Response:  UTF8
2016-10-31 12:03:43 9364 1 Response:  AUTH TLS;TLS-C;SSL;TLS-P;
2016-10-31 12:03:43 9364 1 Response:  PBSZ
2016-10-31 12:03:43 9364 1 Response:  PROT C;P;
2016-10-31 12:03:43 9364 1 Response:  CCC
2016-10-31 12:03:43 9364 1 Response:  HOST
2016-10-31 12:03:43 9364 1 Response:  SIZE
2016-10-31 12:03:43 9364 1 Response:  MDTM
2016-10-31 12:03:43 9364 1 Response:  REST STREAM
2016-10-31 12:03:43 9364 1 Response: 211 END
2016-10-31 12:03:43 9364 1 Command: OPTS UTF8 ON
2016-10-31 12:03:43 9364 1 Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
2016-10-31 12:03:43 9364 1 Command: PBSZ 0
2016-10-31 12:03:43 9364 1 Response: 200 PBSZ command successful.
2016-10-31 12:03:43 9364 1 Command: PROT P
2016-10-31 12:03:43 9364 1 Response: 200 PROT command successful.
2016-10-31 12:03:43 9364 1 Status: Logged in
2016-10-31 12:03:43 9364 1 Status: Retrieving directory listing...
2016-10-31 12:03:43 9364 1 Command: PWD
2016-10-31 12:03:43 9364 1 Response: 257 "/" is current directory.
2016-10-31 12:03:43 9364 1 Command: TYPE I
2016-10-31 12:03:43 9364 1 Response: 200 Type set to I.
2016-10-31 12:03:43 9364 1 Command: PASV
2016-10-31 12:03:43 9364 1 Response: 227 Entering Passive Mode (xx,xx,xxx,xxx,xxx,xxx).
2016-10-31 12:03:43 9364 1 Command: LIST
2016-10-31 12:03:43 9364 1 Response: 150 Opening BINARY mode data connection.
2016-10-31 12:03:43 9364 1 Response: 226 Transfer complete.
2016-10-31 12:03:43 9364 1 Status: Directory listing of "/" successful
2016-10-31 12:03:48 9364 1 Status: Disconnected from server

The server is a Windows 2012 server running IIS 8.5. It has been configured to allow secure connections.

Any help would be greatly appreciated!

Applies to: Rebex FTP/SSL

1 Answer

0 votes
answered Nov 1, 2016 by Lukas Matyska (57,170 points)
edited Dec 20, 2016 by Lukas Pokorny

The trial and full versions of Rebex assemblies are equivalent except the trial contains check for 30-day expiration. The issue is very probably related to the change in FTPS server configuration. If you try the previously used trial version, I bet that it will fail now as well.

When a server closes the connection just after it receives the ClientHello it typically indicates that the server is not satisfied with the security algorithms offered by the client.

I think that the FTPS server is now configured to accept only the latest TLS/SSL ciphers which uses elliptic curve cryptography. These algorithms are not supported in the current public version. However, we already have support for them in the beta version.

Support for elliptic curve ciphers has been added in Rebex FTP/SSL 2016 R3.

commented Nov 7, 2016 by mcook_systemax (120 points)
Just wanted to say the new beta works perfectly -- thanks!
...