FluentFTP FTPS on a ProFTPD server - A call to SSPI failed, the message received was unexpected or badly formatted

FTP OS: Windows

FTP Server: ProFTPD

Computer OS: Windows

FluentFTP Version: 33.0.3

I'd like to connect to a ProFTPD server with a .key or .cer file but I'm getting an exception provoked by an inner exception: A call to SSPI failed, see inner exception. The message received was unexpected or badly formatted

I have tried with a .key file on WinSCP on TLSv1 and it works fine.

Current code :

_client = new FtpClient(
    configuration.Host,
    configuration.Port,
    new NetworkCredential(configuration.Login, configuration.Password));

if (configuration.FtpOverTls)
{
    _client.EncryptionMode = FtpEncryptionMode.Explicit;
    _client.ValidateAnyCertificate = true;
    if (!string.IsNullOrEmpty(configuration.FtpsCertificatePath))
    {
        _client.SslProtocols = SslProtocols.Default;
        _client.ClientCertificates.Add(new X509Certificate(configuration.FtpsCertificatePath));
    }
}

Logs :

Status:   Detected FTP server: ProFTPD
Command:  AUTH TLS
Response: 234 AUTH TLS successful
Status:   Disposing FtpSocketStream...
Error:    FTPS Authentication Failed
Exception thrown: 'System.Security.Authentication.AuthenticationException' in FluentFTP.dll
Service batch failed, retrying later... See exception below.
System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The message received was unexpected or badly formatted
   --- End of inner exception stack trace ---
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at FluentFTP.FtpSocketStream.ActivateEncryption(String targethost, X509CertificateCollection clientCerts, SslProtocols sslProtocols)
   at FluentFTP.FtpClient.Connect()

Feb 11 '21 16:02 Kiritsu

If you get SPPI exceptions with an inner exception about an unexpected or badly formatted message, you are probably using the wrong type of certificate.

See below, copied from https://github.com/robinrodricks/FluentFTP/wiki/FTPS-Connection#faq_certs

How do I use client certificates to login with FTPS? Add your certificate into ClientCertificates and then Connect().

client.EncryptionMode = FtpEncryptionMode.Explicit;
client.SslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
client.SocketKeepAlive = false;
client.ClientCertificates.Add(new **X509Certificate2**("C:\mycert.cer"));
client.ValidateCertificate += (control, e) => {
	e.Accept = e.PolicyErrors == SslPolicyErrors.None;
};
client.Connect();

And ensure that:

You use X509Certificate2 objects, not the incomplete X509Certificate implementation.

You do not use pem certificates, use p12 instead. See this Stack Overflow thread for more information. If you get SPPI exceptions with an inner exception about an unexpected or badly formatted message, you are probably using the wrong type of certificate.

Feb 16 '21 21:02 cmdpdl

Isn't it a lack of implementation/support then since it works with WinSCP .NET librairies?

Edit : oh okay, just seen the tiny difference here lol. I'm gonna try soon, thank you!

Feb 16 '21 22:02 Kiritsu

There was never any response to this and the explanation was provided. Closing 2 year old issue.

Mar 10 '23 21:03 FanDjango