Go Back   FlashFXP Forums > >

General Discussion Need help? Have a problem? Let us help you. Bug reports and feature requests should be made using the Bug Tracker or Feature Tracker

Closed Thread
 
Thread Tools Rate Thread Display Modes
Old 12-20-2017, 03:23 PM   #1
msg7086
Member
FlashFXP Beta Tester
 
Join Date: Jul 2011
Location: Lincoln Park, NJ
Posts: 73
Default FlashFXP FTPES Client Certificate handshake failure

Yes, I know this post may be useless considering what has happened. But I still want to share this with you and, if possible, get some ideas from you.

I'm trying to set up FTP server with client certificate authentication. I'm using ProFTPd 1.3.5b.

On the server my configuration reads:

Code:
TLSEngine                               on
TLSProtocol                             SSLv23 TLSv1 TLSv1.2
TLSECCertificateFile                    /etc/ssl/ssl.crt
TLSECCertificateKeyFile                 /etc/ssl/ssl.key
TLSRequired                             ctrl
TLSCACertificateFile                    /etc/ssl/ca.crt
TLSVerifyClient                         on
TLSOptions                              AllowDotLogin
Where ca.crt is a self-signed ECDSA-SHA256 CA with a EC-384 key.

Client keys are generated and signed by the CA.

When connecting to the FTPES server from FlashFXP 5.4, it is unable to complete ssl handshake.

Code:
[15:12:35] [R] Connected to test ftp
[15:12:35] [R] 220 ProFTPD 1.3.5b Server (Debian) [::ffff:172.16.0.102]
[15:12:35] [R] AUTH TLS
[15:12:35] [R] 234 AUTH TLS successful
[15:12:35] [R] SSL error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
[15:12:36] [R] Failed TLSv1 negotiation, disconnected
[15:12:36] [R] Connection failed (Connection closed by server)
[15:12:36] [R] Delaying for 10 seconds before reconnect attempt #1
Having tried explicitly specifying SSLv3 or TLSv1 or TLSv1.2 and none of the three works.

However a manual test using openssl CLI shows that the server is working fine.

Code:
D:\>openssl s_client -connect <<removed>> -starttls ftp -cert <<removed>>-ftp.crt -key <<removed>>-ftp.key
CONNECTED(00000158)
depth=0 CN = <<removed>>.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = <<removed>>.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=<<removed>>.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgISBLTsG9cQFS5GIqfAG2EVLjbTMA0GCSqGSIb3DQEBCwUA
<<removed>>
VxhOxUBUHrvNvG1a/102TDGQu+LGDyBUe40=
-----END CERTIFICATE-----
subject=/CN=<<removed>>.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
Acceptable client certificate CA names
/CN=<<removed>>CA
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1556 bytes and written 1379 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: <<removed>>
    Session-ID-ctx:
    Master-Key: <<removed>>
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1513797526
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
220 ProFTPD 1.3.5b Server (Debian) [::ffff:172.16.0.102]
user root
232 User root logged in
stat -al
211-Status of .:
211-<<removed>>
211 End of status
quit
221 Goodbye.
closed
Both RSA-2048 and EC-384 key pairs were tried, and results were the same.
__________________
Beta testing environment
Desktop:
* * Intel i7-4770 * 16G RAM * SSD * 3 HDD *
* * Simplified Chinese Windows 10 *
Laptop:
* * Intel i5-5200U * 12G RAM * SSD * HDD
* * Simplified Chinese Windows 10 *
msg7086 is offline  
Closed Thread

Tags
certificate, flashfxp, ftp, ftpes, server


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 07:00 AM.

Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)