FluentFTP
FluentFTP copied to clipboard
robinrodricks
39.0.1 - Authentication failed because the remote party sent a TLS alert: 'ProtocolVersion'.
FTP OS: QNAP NAS
FTP Server: ProFTPD
Computer OS: Windows 10 / Visual Studio 2022
FluentFTP Version: 39.0.1
Framework: .NET6.0
Here my code to connect to our customer:
_''' <summary>
''' Herstellen einer Verbindung zu einem FTP-Server
''' </summary>
''' <param name="FtpServer"></param>
Public Sub Connect(FtpServer As FtpServer)
Try
If FTPSClnt Is Nothing Then
FTPSClnt = New FtpClient
With FTPSClnt
.Host = FtpServer.ServerAdress
.Credentials = New Net.NetworkCredential(FtpServer.UserName, FtpServer.Password)
.EncryptionMode = FtpEncryptionMode.Explicit
.SslProtocols = .SslProtocols Or Security.Authentication.SslProtocols.Tls13 Or Security.Authentication.SslProtocols.Tls12 Or
Security.Authentication.SslProtocols.Tls11 Or Security.Authentication.SslProtocols.Tls
.Port = FtpServer.Port
.DataConnectionEncryption = True
.DownloadDataType = FtpDataType.Binary
.ValidateAnyCertificate = True
.EnableThreadSafeDataConnections = True
.SocketKeepAlive = True
.DataConnectionType = FtpDataConnectionType.EPSV
.SslBuffering = FtpsBuffering.Off
End With
End If
If FTPSClnt.IsConnected = False Then
Me.FTPLOG_ENABLE = "C:\tmp\Fluent.log"
FTPSClnt.Connect()
End If
Catch ex As Exception
NLOGLOGGER.Fatal("Connection is abnormal ending")
NLOGLOGGER.Fatal(ex.Message)
End Try
End Sub_
When I try to connect, then I have the error:
One or more errors occurred. (Authentication failed because the remote party sent a TLS alert: 'ProtocolVersion'.)
Logs :
Here the logs from Fluent
# Connect() Status: Connecting to*...*:21 Response: 220 NASFTPD Turbo station 1.3.6 Server (ProFTPD) [::ffff:10.1.10.6] Status: Detected FTP server: ProFTPD Command: AUTH TLS Response: 234 AUTH TLS successful
If i connect with Filezilla, then I have following Log
2022-08-05 15:40:48 6284 1 Status: Auflösen der IP-Adresse für ftp.xxxx.de 2022-08-05 15:40:48 6284 1 Status: Verbinde mit ...:21... 2022-08-05 15:40:48 6284 1 Status: Verbindung hergestellt, warte auf Willkommensnachricht... 2022-08-05 15:40:48 6284 1 Antwort: 220 NASFTPD Turbo station 1.3.6 Server (ProFTPD) [::ffff:10.1.10.6] 2022-08-05 15:40:48 6284 1 Befehl: AUTH TLS 2022-08-05 15:40:49 6284 1 Antwort: 234 AUTH TLS successful 2022-08-05 15:40:49 6284 1 Status: Initialisiere TLS... 2022-08-05 15:40:51 6284 1 Status: TLS-Verbindung hergestellt. 2022-08-05 15:40:51 6284 1 Befehl: USER *** 2022-08-05 15:40:51 6284 1 Antwort: 331 Password required for *** 2022-08-05 15:40:51 6284 1 Befehl: PASS ********** 2022-08-05 15:40:51 6284 1 Antwort: 230 User *** logged in 2022-08-05 15:40:51 6284 1 Befehl: SYST 2022-08-05 15:40:51 6284 1 Antwort: 215 UNIX Type: L8 2022-08-05 15:40:51 6284 1 Befehl: FEAT 2022-08-05 15:40:51 6284 1 Antwort: 211-Features: 2022-08-05 15:40:51 6284 1 Antwort: AUTH TLS 2022-08-05 15:40:51 6284 1 Antwort: CCC 2022-08-05 15:40:51 6284 1 Antwort: CLNT 2022-08-05 15:40:51 6284 1 Antwort: EPRT 2022-08-05 15:40:51 6284 1 Antwort: EPSV 2022-08-05 15:40:51 6284 1 Antwort: HOST 2022-08-05 15:40:51 6284 1 Antwort: LANG en-US* 2022-08-05 15:40:51 6284 1 Antwort: MDTM 2022-08-05 15:40:51 6284 1 Antwort: MFF modify;UNIX.group;UNIX.mode; 2022-08-05 15:40:51 6284 1 Antwort: MFMT 2022-08-05 15:40:51 6284 1 Antwort: MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*; 2022-08-05 15:40:51 6284 1 Antwort: PBSZ 2022-08-05 15:40:51 6284 1 Antwort: PROT 2022-08-05 15:40:51 6284 1 Antwort: REST STREAM 2022-08-05 15:40:51 6284 1 Antwort: SIZE 2022-08-05 15:40:51 6284 1 Antwort: SSCN 2022-08-05 15:40:51 6284 1 Antwort: TVFS 2022-08-05 15:40:51 6284 1 Antwort: 211 End 2022-08-05 15:40:51 6284 1 Status: Der Server unterstützt keine Nicht-ASCII-Zeichen. 2022-08-05 15:40:51 6284 1 Befehl: PBSZ 0 2022-08-05 15:40:51 6284 1 Antwort: 200 PBSZ 0 successful 2022-08-05 15:40:51 6284 1 Befehl: PROT P 2022-08-05 15:40:51 6284 1 Antwort: 200 Protection set to Private 2022-08-05 15:40:51 6284 1 Status: Angemeldet 2022-08-05 15:40:51 6284 1 Status: Empfange Verzeichnisinhalt... 2022-08-05 15:40:51 6284 1 Befehl: PWD 2022-08-05 15:40:51 6284 1 Antwort: 257 "/" is the current directory 2022-08-05 15:40:51 6284 1 Befehl: TYPE I 2022-08-05 15:40:51 6284 1 Antwort: 200 Type set to I 2022-08-05 15:40:51 6284 1 Befehl: PASV 2022-08-05 15:40:51 6284 1 Antwort: 227 Entering Passive Mode (10,1,10,6,217,252). 2022-08-05 15:40:51 6284 1 Status: Vom Server gesendete Adresse für den Passiv-Modus ist nicht routingfähig. Benutze stattdessen die Serveradresse. 2022-08-05 15:40:51 6284 1 Befehl: MLSD 2022-08-05 15:40:51 6284 1 Antwort: 150 Opening BINARY mode data connection for MLSD 2022-08-05 15:40:51 6284 1 Antwort: 226 Transfer complete 2022-08-05 15:40:51 6284 1 Status: Anzeigen des Verzeichnisinhalts für "/" abgeschlossen
EnableThreadSafeDataConnections is bad and should not be used.
SslProtocols is probably the issue here - many protocols are broken in .NET - try this SysSslProtocols.Tls12 | SysSslProtocols.Tls11
I suggest trying AutoConnect/Async first and if that does not work, then try a manual Connect.
Thanks for your reply. The problem is: our customer allow only connections with TLS1.3.
I have disable EnableThreadSafeDataConnections - but no success
In FileZilla the connection is working fine
The AutoConnect cannot find a combination that works
Thanks for your work. Here is the log of your new BETA1-Version
_ AutoConnect()
AutoDetect(True, False)
Connect() Status: Connecting to x.x.x.x:21 Response: 220 NASFTPD Turbo station 1.3.6 Server (ProFTPD) [::ffff:10.1.10.6] Status: Detected FTP server: ProFTPD Command: AUTH TLS Response: 234 AUTH TLS successful Status: There is stale data on the socket, maybe our connection timed out or you did not call GetReply(). Re-connecting... Status: Disposing FtpSocketStream... Status: Not sending QUIT because the connection has already been closed. Status: Disposing FtpSocketStream...
Connect() Status: Connecting to x.x.x.x:990 Status: Disposing FtpSocketStream..._
Can you call
AutoDetect()[0].ToCode()and show me the code here?
Ausnahme ausgelöst: "System.ArgumentOutOfRangeException" in System.Private.CoreLib.dll
I think that they didn´t find any possible Connection, so the array is empty
See what I am doing in AutoConnect is catching this error Authentication failed because the remote party sent a TLS alert: 'ProtocolVersion'. and then using TLS 1.3. Can you confirm if this error is occurring during Connect()?
See what I am doing in AutoConnect is catching this error
Authentication failed because the remote party sent a TLS alert: 'ProtocolVersion'.and then using TLS 1.3. Can you confirm if this error is occurring duringConnect()?
Yes - I confirm - this error come up, when I use Connect()
Try this...
At moment I only use following settings:
` With FTPSClnt
.Host = FtpServer.ServerAdress
.Credentials = New Net.NetworkCredential(FtpServer.UserName, FtpServer.Password)
.EncryptionMode = FtpEncryptionMode.Explicit
.Port = FtpServer.Port
End With
FTPSClnt.Connect()
`
But the error still exists.
Do you think it is helpfull if I send you my credentials and you try to connect? Maybe a configuration of me is wrong?
Ah thats why its not working. You need to try AutoConnect with the new version.
FTPSClnt = New FtpClient
With FTPSClnt
.Host = FtpServer.ServerAdress
.Credentials = New Net.NetworkCredential(FtpServer.UserName, FtpServer.Password)
.Port = FtpServer.Port
End With
FTPSClnt.AutoConnect()
When I use 'AutoConnect()' then I have the same behavior like BETA1.
- No Exception
- No Connection
- Same log-infos like BETA1
Please try this with AutoConnect...
Sorry - same as before. No connection is possible
With FTPSClnt
.Host = FtpServer.ServerAdress
.Credentials = New Net.NetworkCredential(FtpServer.UserName, FtpServer.Password)
.EncryptionMode = FtpEncryptionMode.Explicit
.SslProtocols = Security.Authentication.SslProtocols.Tls13
.Port = FtpServer.Port
.DownloadDataType = FtpDataType.Binary
.ValidateAnyCertificate = True
.SocketKeepAlive = True
.DataConnectionType = FtpDataConnectionType.EPSV
.SslBuffering = FtpsBuffering.Off
FTPSClnt.Connect()
Sorry - i cann´t give you a reply now. Our customers FTP-Server is down till Tuesday. On Wednesday i can try again. Then I will send you the result
Hello, now I can test your suggestion. But they didn´t work. But I have a new Errormessage:
Der Client und der Server können keine Daten austauschen, da sie nicht über einen gemeinsamen Algorithmus verfügen.
I think that is in english: The client and server cannot communicate, because they do not possess a common algorithm
PS: I have investigate with wireshark.
With FileZilla Client i see: After the Response: 234 AUTH TLS successfull FileZilla response with Client Hello as TLS1.3 Protocol. Then the Cipher will be changed
With the App/FluentFTP this Client Hello and Cipher Change Procedure is missing complet
PS 2: Here is the return result of the customers-ftp Server in wireshark when i use FileZilla Client:
Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
Compression Method: null (0)
Key Share extension
Group: secp384r1 (24)
PS 3: I have tried your actual version (3.9.2) but the message come allways up and no connection possible
I have a similar problem with the FTPS server on my Synology NAS after I updated the NAS to DSM 7.0. I don't know which FTP deamon is being used there, but it supports TLS1.3 and TLS1.2. Same error in the log when I let FluentFTP negotiate TLS:
Status: There is stale data on the socket, maybe our connection timed out or you did not call GetReply(). Re-connecting...
Important: FluentFTP is then not reacting correctly because it seems to invoke connect() itself in a loop. There is no way to get out of this loop except by counting the attempts in the callback for the host key and then not accepting the key.
-
I can get rid of the error (and connect successfully) by setting the following:
_ftpClient.StaleDataCheck = false;That works but doesn't give me a comfortable feeling. I also don't know whether the connection is now TLS1.3. I can't see anything in FluentFTP that informs me about the negotiated protocol. But maybe I overlooked something. -
I can also get rid of the error by forcing TLS1.2, but that is not what people want to do.
I can only again stress the importance of having full TLS1.3 support in FluentFTP. Is it still true that this is something that is not correct in .NET? That seems so strange. Can someone point me to where it is stated that there is an issue in .NET?
I am using FluentFTP 39.2.1.
Its hard for me to debug this because I don't have a server like yours at hand to test TLS 1.3, so I have to guess what the issue is and make potential fixes.
Its hard for me to debug this because I don't have a server like yours at hand to test TLS 1.3, so I have to guess what the issue is and make potential fixes.
Can it be helpful, when I ask our customer to give me a set of credentials for you so you can test it? How can I send the user/password to you?
Can you try this version with
AutoConnect@JosHuybrighs @MyKeySoftMK FluentFTP.39.2.2-BETA1.zip
Sorry - no connection possible - same as before
@MyKeySoftMK check your email, you should get a message from github about possible next steps.
@MyKeySoftMK check your email, you should get a message from github about possible next steps.
@robinrodricks Thanks - I have do this steps - please confirm it
@MyKeySoftMK thanks, have received the info, will proceed and let you know.
I made some fixes to AutoConnect.
It's using TLS1.2 as of now, and the connection is working.
Is this ok or do you want TLS 1.3?
I made some fixes to AutoConnect.
It's using TLS1.2 as of now, and the connection is working.
Is this ok or do you want TLS 1.3?
Fine - our customer inform us, that starting with 1.10. it will be changed to "Explizites FTP over TLS“ in Version 1.3. So I think i need the 1.3
Released. Please check. No config is needed, just use AutoConnect/Async.
https://www.nuget.org/packages/FluentFTP/39.3.0
Thanks for upload. I try to use this new Version. When I use AutoConnect then I have following error: FTPS security could not be established on the server. The certificate was not accepted.
My code is actual:
FTPSClnt = New FtpClient
With FTPSClnt
.Host = FtpServer.ServerAdress
.Credentials = New Net.NetworkCredential(FtpServer.UserName, FtpServer.Password)
End With
FTPSClnt.AutoConnect()
When I add .ValidateAnyCertificate = True the same error come up
The same code is working for me:
var client = new FtpClient() { Host = "XXX", Credentials = new NetworkCredential("XXX", "XXX") };
client.AutoConnect();
Maybe on your FTP account its forcing FTPS or TLS 1.3 and with mine its not?
As you can see the server is rejecting FTPS:
Status: Connecting to ***:21
Response: 220 NASFTPD Turbo station 1.3.6 Server (ProFTPD)
Status: Detected FTP server: ProFTPD
Command: AUTH TLS
Response: 504 Command not implemented for that parameter
Maybe on your FTP account its forcing FTPS or TLS 1.3 and with mine its not?
You and I use the same Account
I'm using NET 6 on Win 10 x64, exactly as you, so no idea why this is coming up.
Now I traying following:
I make a new .NET6 Console Application. In the startup/Main-Method i put only the code for tracing an connecting. Nothing else as FluentFtp 3.9.0 is dependency
When I run it, then the exception FTPS security could not be established on the server. The certificate was not accepted. come up
Try this: FluentFTP.39.3.1-BETA1.zip
Catch the exception and get ex.InnerException and see what it is.
Die angeforderte Funktion wird nicht unterstützt.
And they come from DirectCast(ex, FluentFTP.FtpInvalidCertificateException).InnerException.InnerException.Message
Does this work? FluentFTP.39.3.1-BETA2.zip
They didn´t work - sorry
I have download your code and set as reference to my small test app (only one funtion: use autoconnect).
When I step through \Streams\FtpSocketStream.cs then it jumped out in line 1128:
m_sslStream.AuthenticateAsClientAsync(targethost, clientCerts, sslProtocols, Client.ValidateCertificateRevocation).Wait();
But they didn´t catch it from the try in line 1109 - the catched from \Client\Modules\ConnectModule.cs in line 137
I did not commit the changed code. Now I have committed it. Can you debug it again and see where the exception is coming from?
Here is my application Configuration
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<RootNamespace>MYKEY.FxCore.FluentFtp</RootNamespace>
<TargetFramework>net6.0-windows</TargetFramework>
<Platforms>AnyCPU;x64;x86</Platforms>
</PropertyGroup>
<ItemGroup>
<ProjectReference Include="..\FluentFTP\FluentFTP.csproj" />
</ItemGroup>
</Project>
The exexption will come up in \Streams\FtpSocketStream.cs in line 1128:
m_sslStream.AuthenticateAsClientAsync(targethost, clientCerts, sslProtocols, Client.ValidateCertificateRevocation).Wait();
Win32Exception: Die angeforderte Funktion wird nicht unterstützt.
Following exeption: FTPS security could not be established on the server. The certificate was not accepted.
The log is:
AutoConnect()
AutoDetect(True, False)
Connect() Status: Connecting to ***:21 Response: 220 NASFTPD Turbo station 1.3.6 Server (ProFTPD) [::ffff:10.1.10.6] Status: Detected FTP server: ProFTPD Command: AUTH TLS Response: 234 AUTH TLS successful Status: There is stale data on the socket, maybe our connection timed out or you did not call GetReply(). Re-connecting... Status: Disposing FtpSocketStream... Status: Not sending QUIT because the connection has already been closed. Status: Disposing FtpSocketStream...
InnerExeption: Der Client und der Server können keine Daten austauschen, da sie nicht über einen gemeinsamen Algorithmus verfügen.
AutoConnect()
AutoDetect(True, False)
Connect() Status: Connecting to ***:21 Response: 220 NASFTPD Turbo station 1.3.6 Server (ProFTPD) [::ffff:10.1.10.6] Status: Detected FTP server: ProFTPD Command: AUTH TLS Response: 234 AUTH TLS successful Status: There is stale data on the socket, maybe our connection timed out or you did not call GetReply(). Re-connecting... Status: Disposing FtpSocketStream... Status: Not sending QUIT because the connection has already been closed. Status: Disposing FtpSocketStream... Status: Failed to connect with TLS1.1/TLS1.2, trying TLS1.3
Connect() Status: Connecting to ***:21 Response: 220 NASFTPD Turbo station 1.3.6 Server (ProFTPD) [::ffff:10.1.10.6] Status: Detected FTP server: ProFTPD Command: AUTH TLS Response: 234 AUTH TLS successful Command: QUIT Warning: FtpClient.Disconnect(): Exception caught and discarded while closing control connection: System.InvalidOperationException: This operation is only allowed using a successfully authenticated context. at System.Net.Security.SslStream.ThrowNotAuthenticated() at System.Net.Security.SslStream.Write(Byte[] buffer, Int32 offset, Int32 count) at FluentFTP.FtpSocketStream.Write(Byte[] buffer, Int32 offset, Int32 count) in D:\Github\FluentFTP\FluentFTP\Streams\FtpSocketStream.cs:line 660 at FluentFTP.FtpClient.Execute(String command) in D:\Github\FluentFTP\FluentFTP\Client\FtpClient_Stream.cs:line 85 at FluentFTP.FtpClient.Disconnect() in D:\Github\FluentFTP\FluentFTP\Client\FtpClient_Connection.cs:line 912 Status: Disposing FtpSocketStream...
I think you need to add client certificates before calling autoconnect
https://github.com/robinrodricks/FluentFTP/wiki/FTP-Connection#faq_certs
https://github.com/robinrodricks/FluentFTP/wiki/FTP-Connection#faq_certs
Now I have add AddHandler _ftpClient.ValidateCertificate, New FtpSslValidation(AddressOf OnValidateCertificate)
But the Handler is not executed
client.ClientCertificates.Add(new X509Certificate2("C:\mycert.cer"));
OR
// Select certificate and add to client
X509Store store = new X509Store("MY", StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates;
X509Certificate2Collection fcollection = (X509Certificate2Collection)collection.Find(X509FindType.FindByTimeValid, DateTime.Now, false);
X509Certificate2Collection scollection = X509Certificate2UI.SelectFromCollection(fcollection, "Select a certificate", "Select a certificate", X509SelectionFlag.MultiSelection);
if (scollection.Count != 1)
{
throw new Exception("Error: You have not chosen exactly one certificate");
}
foreach (X509Certificate2 x509 in scollection)
{
client.ClientCertificates.Add(x509);
}
store.Close();
and then AutoConnect
@robinrodricks I updated to v39.3.0 (using the nuget package) but the connection is still not successfull in 2 scenarios:
- Using client.Connect() with SslProtocols.Tls13 and SslProtocols.None
- Using client.AutoConnect()
Here are the results. The first test (successfull) is with client.Connect() and forcing TLS1.2 The others were all unsuccessfull.
- Successfull using ftpClient.Connect and forcing Tls1.2
2022.08.16 13:10:01.715 21:FTPPickerDialog - Try to connect to server 'mars'
2022.08.16 13:10:01.839 21:FTPStorageDevice.Open - Host: mars, port: 990, account: xxxxxxxx, connectionMode: 0, tlsProtocol: Tls12
2022.08.16 13:10:01.901 21:FTPStorageDevice.Initialize - Extract trusted certificates list
2022.08.16 13:10:01.946 21:FTPStorageDevice.Initialize - File contains 4 entries
2022.08.16 13:10:01.992 21:--FluentFTP-- > Connect()
2022.08.16 13:10:02.071 21:--FluentFTP-- Status: Connecting to ***:990
2022.08.16 13:10:02.133 21:--FluentFTP-- Response: 220 Mars FTP server ready.
2022.08.16 13:10:02.179 21:--FluentFTP-- Command: AUTH TLS
2022.08.16 13:10:02.225 21:--FluentFTP-- Response: 234 AUTH TLS command successful.
2022.08.16 13:10:02.458 14:FTPStorageDevice.ValidateCertificate - Checking certificate for $mars:990, fingerprint: 6DF97A686F77BFED2B860242D71ED4799C29D41E
2022.08.16 13:10:02.505 14:FTPStorageDevice.ValidateCertificate - Certificate found in TrustedCerts and accepted
2022.08.16 13:10:02.552 21:--FluentFTP-- Status: FTPS Authentication Successful
2022.08.16 13:10:02.598 21:--FluentFTP-- Status: Time to activate encryption: 0h 0m 0s. Total Seconds: 0,2775193.
2022.08.16 13:10:02.645 21:--FluentFTP-- Command: USER ***
2022.08.16 13:10:02.738 21:--FluentFTP-- Response: 331 Password required for admin.
2022.08.16 13:10:02.785 21:--FluentFTP-- Command: PASS ***
2022.08.16 13:10:02.909 21:--FluentFTP-- Response: 230 User admin logged in.
2022.08.16 13:10:02.955 21:--FluentFTP-- Command: PBSZ 0
2022.08.16 13:10:02.987 21:--FluentFTP-- Response: 200 PBSZ command successful (PBSZ=0).
2022.08.16 13:10:03.032 21:--FluentFTP-- Command: PROT P
2022.08.16 13:10:03.064 21:--FluentFTP-- Response: 200 Protection level set to Private.
2022.08.16 13:10:03.110 21:--FluentFTP-- Command: FEAT
2022.08.16 13:10:03.156 21:--FluentFTP-- Response: 211- Extensions supported:
Response: AUTH TLS
Response: PBSZ
Response: PROT
Response: CCC
Response: SIZE
Response: MDTM
Response: REST STREAM
Response: MFMT
Response: TVFS
Response: MLST modify*;type*;unique*;size*;UNIX.mode*;UNIX.owner*;UNIX.group*;
Response: MLSD modify*;type*;unique*;size*;UNIX.mode*;UNIX.owner*;UNIX.group*;
Response: UTF8
2022.08.16 13:10:03.203 21:--FluentFTP-- Response: 211 End.
2022.08.16 13:10:03.266 21:--FluentFTP-- Status: Text encoding: System.Text.UTF8Encoding+UTF8EncodingSealed
2022.08.16 13:10:03.297 21:--FluentFTP-- Command: OPTS UTF8 ON
2022.08.16 13:10:03.344 21:--FluentFTP-- Response: 200 OK, UTF-8 enabled
2022.08.16 13:10:03.391 21:--FluentFTP-- Command: SYST
2022.08.16 13:10:03.437 21:--FluentFTP-- Response: 215 UNIX Type: L8
2022.08.16 13:10:03.483 21:--FluentFTP-- Status: Listing parser set to: Machine
2022.08.16 13:10:03.515 21:--FluentFTP-- Command: PWD
2022.08.16 13:10:03.562 21:--FluentFTP-- Response: 257 "/" is current directory.
2022.08.16 13:10:03.609 21:FTPStorageDevice.Initialize - SUCCESS
2022.08.16 13:10:03.656 1:FTPPickerDialog - Got Connected
- Unsuccessfull using ftpClient.Connect and SslProtocols.Tls13 or SslProtocols.None
2022.08.16 13:13:18.496 26:FTPPickerDialog - Try to connect to server 'mars'
2022.08.16 13:13:18.538 26:FTPStorageDevice.Open - Host: mars, port: 990, account: xxxxxxxx, connectionMode: 0, tlsProtocol: LetOsDecide
2022.08.16 13:13:18.631 26:FTPStorageDevice.Initialize - Extract trusted certificates list
2022.08.16 13:13:18.677 26:FTPStorageDevice.Initialize - File contains 4 entries
2022.08.16 13:13:18.709 26:--FluentFTP-- > Connect()
2022.08.16 13:13:18.781 26:--FluentFTP-- Status: Connecting to ***:990
2022.08.16 13:13:18.865 26:--FluentFTP-- Response: 220 Mars FTP server ready.
2022.08.16 13:13:18.897 26:--FluentFTP-- Command: AUTH TLS
2022.08.16 13:13:18.930 26:--FluentFTP-- Response: 234 AUTH TLS command successful.
2022.08.16 13:13:19.006 14:FTPStorageDevice.ValidateCertificate - Checking certificate for $mars:990, fingerprint: 6DF97A686F77BFED2B860242D71ED4799C29D41E
2022.08.16 13:13:19.053 14:FTPStorageDevice.ValidateCertificate - Certificate found in TrustedCerts and accepted
2022.08.16 13:13:19.101 26:--FluentFTP-- Status: FTPS Authentication Successful
2022.08.16 13:13:19.149 26:--FluentFTP-- Status: Time to activate encryption: 0h 0m 0s. Total Seconds: 0,1231911.
2022.08.16 13:13:19.198 26:--FluentFTP-- Status: There is stale data on the socket, maybe our connection timed out or you did not call GetReply(). Re-connecting...
2022.08.16 13:13:19.246 26:--FluentFTP-- Status: Disposing FtpSocketStream...
2022.08.16 13:13:19.310 26:--FluentFTP-- > Connect()
2022.08.16 13:13:19.372 26:--FluentFTP-- Status: Connecting to ***:990
2022.08.16 13:13:19.434 26:--FluentFTP-- Response: 220 Mars FTP server ready.
2022.08.16 13:13:19.496 26:--FluentFTP-- Command: AUTH TLS
2022.08.16 13:13:19.544 26:--FluentFTP-- Response: 234 AUTH TLS command successful.
2022.08.16 13:13:23.470 26:FTPStorageDevice.Initialize - FAIL-4, ErrorCode: -2146233088, One or more errors occurred. (The remote certificate was rejected by the provided RemoteCertificateValidationCallback.)
2022.08.16 13:13:23.517 1:FTPPickerDialog - Got CouldNotAuthenticate
Notice the 'There is stale data on the socket..' message which apparently is not correctly handled by FluentFTP since it initates itself again a 'connect'. As I mentioned earlier, this keeps on running in a loop. I can stop the loop by not accepting the certificate the 2nd time the certificate validation event comes in.
- Unsuccessfull using ftpClient.AutoConnect() - _ftpClient.SslProtocols is not set, assume it is SslProtocols.None
2022.08.16 13:20:21.447 18:FTPPickerDialog - Try to connect to server 'mars'
2022.08.16 13:20:21.479 18:FTPStorageDevice.Open - Host: mars, port: 990, account: xxxxxxxx, connectionMode: 0, tlsProtocol: Tls12 (not set)
2022.08.16 13:20:21.525 18:FTPStorageDevice.Initialize - Extract trusted certificates list
2022.08.16 13:20:21.573 18:FTPStorageDevice.Initialize - File contains 4 entries
2022.08.16 13:20:21.605 18:--FluentFTP-- > AutoConnect()
2022.08.16 13:20:21.668 18:--FluentFTP-- > AutoDetect(True, False)
2022.08.16 13:20:21.714 18:--FluentFTP-- > Connect()
2022.08.16 13:20:21.778 18:--FluentFTP-- Status: Connecting to ***:21
2022.08.16 13:20:23.887 18:--FluentFTP-- Status: Disposing FtpSocketStream...
2022.08.16 13:20:23.949 18:--FluentFTP-- > Connect()
2022.08.16 13:20:24.010 18:--FluentFTP-- Status: Connecting to ***:990
2022.08.16 13:20:24.088 18:--FluentFTP-- Status: There is stale data on the socket, maybe our connection timed out or you did not call GetReply(). Re-connecting...
2022.08.16 13:20:24.119 18:--FluentFTP-- Status: Disposing FtpSocketStream...
2022.08.16 13:20:24.166 18:--FluentFTP-- Status: Not sending QUIT because the connection has already been closed.
2022.08.16 13:20:24.197 18:--FluentFTP-- Status: Disposing FtpSocketStream...
2022.08.16 13:20:24.244 18:FTPStorageDevice.Initialize - NOT CONNECTED
2022.08.16 13:20:24.309 1:FTPPickerDialog - Got DriveNotAvailable
Notice that here also there is a 'There is stale data on the socket..' message but FluentFTP apparently then immediately disposes the socket stream.
I am not sure what AutoConnect() is supposed to do but I see that, altough the port is set to 990 it first tries on port 21, which doesn't make sense.
@robinrodricks To help you with this I can do 2 things:
- Allow you to access the FTPS server on my Synology NAS using a 'test' account.
- Try to add the FluentFTP source code to my VS solution and try to find out, with my limited knowledge of TLS1.3, what goes wrong.
The latter will take a while for me but I can try and give it a shot.
client.ClientCertificates.Add(new X509Certificate2("C:\mycert.cer"));OR
// Select certificate and add to client X509Store store = new X509Store("MY", StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly); X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates; X509Certificate2Collection fcollection = (X509Certificate2Collection)collection.Find(X509FindType.FindByTimeValid, DateTime.Now, false); X509Certificate2Collection scollection = X509Certificate2UI.SelectFromCollection(fcollection, "Select a certificate", "Select a certificate", X509SelectionFlag.MultiSelection); if (scollection.Count != 1) { throw new Exception("Error: You have not chosen exactly one certificate"); } foreach (X509Certificate2 x509 in scollection) { client.ClientCertificates.Add(x509); } store.Close();and then
AutoConnect
Thank you. I will try it - but i didn´t find a way to download the cert from the ftp-server our customer.
Can you give me a hint?
@MyKeySoftMK Like so:
In ftp connect:
_ftpClient.ValidateCertificate += _ftpClient_ValidateCertificate;
In the certificate validation method the complete server's certificate is saved in x509Cert.
private void _ftpClient_ValidateCertificate(FtpClient control, FtpSslValidationEventArgs e)
{
X509Certificate2 x509Cert = (X509Certificate2)(e.Certificate);
if (x509Cert == null)
{
x509Cert = new X509Certificate2(e.Certificate);
}
e.Accept = false;
// Check if certificate is trusted
string serverAddressAndPort = $"{_ftpClient.Host}:{_ftpClient.Port}";
ConditionalFileLogger.Log($"FTPStorageDevice.ValidateCertificate - Checking certificate for ${serverAddressAndPort}, fingerprint: {x509Cert.Thumbprint}");
var cert = _trustedCerts.FirstOrDefault(c => c.ServerAddressAndPort.Equals(serverAddressAndPort, StringComparison.OrdinalIgnoreCase) &&
c.Fingerprint == x509Cert.Thumbprint);
bool certFound = cert != null;
if (certFound)
{
_certTrusted = true;
e.Accept = true;
ConditionalFileLogger.Log("FTPStorageDevice.ValidateCertificate - Certificate found in TrustedCerts and accepted");
}
else
{
_certTrusted = false;
ConditionalFileLogger.Log("FTPStorageDevice.ValidateCertificate - Certificate not found");
CertDetails = new CertificateDetails()
{
Subject = x509Cert.Subject,
Issuer = x509Cert.Issuer,
SerialNumber = x509Cert.GetSerialNumberString(),
FromDate = x509Cert.NotBefore,
ToDate = x509Cert.NotAfter,
Fingerprint = x509Cert.Thumbprint
};
string oidName = "?";
try
{
oidName = x509Cert.PublicKey.Oid.FriendlyName;
CertDetails.PubKeyAlgorithm = $"{x509Cert.PublicKey.Key.KeyExchangeAlgorithm} ({x509Cert.PublicKey.Key.KeySize} Bits)";
}
catch (Exception)
{
CertDetails.PubKeyAlgorithm = $"{oidName} - Further info not extracted";
}
ConditionalFileLogger.Log($"FTPStorageDevice.ValidateCertificate - CertDetails configured for presentation to the UI");
}
}
I am using this in my SyncFolder sync/backup app (Windows Store) to retrieve certificates for possible multiple servers and save it in an own trusted certs store (actually a json file).
When a connecting to a new server the certificate is not known yet and the data that is important is saved in the CertDetails property. The UI will pick it up and ask the user to save (and trust) it.
Hope this helps
I have set the Handler. Then I use AutoConnct. But the ValidateCertificate-Event is not raising - so i cann´t react on Cert-Sync
@robinrodricks I did some further TLS1.3 tests against my Synology FTP server, added the master GitHub version of the FluentFTP project to my Visual Studio solution, and observed the following:
- TLS session negotiation (Client Hello, Server Hello, Keys and Certificate exchange, ..) is always successfull.
- When
m_stream.ActivateEncryptionreturns, there is still 86 bytes of unread data inm_stream. - The next
Execute("USER " + userName)then fails with 'Stale Data'.
I took a look at the stream data of the session negotation using Wireshark, and see there that the FTP server responds with 4 application data records, immediately followed by 1 other application data record. I am not sure, but what I understand from TLS 1.3 is that the first 4 records are used for the session negotiation. I debugged the code for checking stale data and what I see is that the unread data corresponds with the 5th application data record as I see it in Wireshark.
When I configure _ftpClient.StaleDataCheck = false, the connection is successfull and further data transfer (list folders, etc.) is OK. So it looks like the data is required and I assume it will, after the session activation, be consumed by sslstream (sChannel).
So, my question: is the check for 'Stale Data' correct in FluentFTP when using TLS 1.3? The reason why I ask is because I saw this code in ConnectModule.cs:
#if NET50_OR_LATER
if (protocol == SysSslProtocols.Tls13) {
client.StaleDataCheck = false;
}
else {
client.StaleDataCheck = true;
}
#endif
I am using .NET6
@robinrodricks I try to find out something helpfull
If I use Connect (and some configuration of the ftpclient) then Line 1128 send nothing to the ftp-Host. If I use AutoConnect then it send the "Hello" - but no connection is possible. They bring up the execption while testing Tls1.1/1.2 - no test for 1.3
I have the feeling that TLS1.3 is not working correctly for me
@MyKeySoftMK
If it would be of help, the next code is what I use in my SyncFolder app to connect with a FTP(S) server. It is being used by multiple users with various type of servers.
Setting _ftpClient.SslProtocols = SslProtocols.None works with all kind of servers that support TLS1.2 and TLS1.3, except for the latest FileZilla servers for which SslProtocols.Tls12 must be set. The reason for this is that FluentFTP/sslstream doesn't support TLS1.3 Session Resumption (which is forced by FileZila server when TLS1.3 is negotiated).
/// <summary>
/// Create a FTPStorageDevice
/// </summary>
/// <param name="host">Hostname/Address of FTP server</param>
/// <param name="port">Port number of the FTP server</param>
/// <param name="account">The username for connecting to the server</param>
/// <param name="password">The username's password</param>
/// <param name="connectionMode">0: FTPS explicit mode, 1: FTPS implicit mode, 2: FTP</param>
/// <param name="sslProtocol">LetOsDecide (0), Tls12 (1), Tls13 (2)</param>
public FTPStorageDevice(string host, int port, string account, string password, int connectionMode, TlsProtocol sslProtocol)
{
Host = host;
Port = port;
AccountName = account;
Password = password;
FTPConnectionMode = connectionMode;
SslProtocol = sslProtocol;
}
/// <summary>
/// Open and connect to FTP(S) server
/// </summary>
/// <returns>StorageDeviceOpenResult object indicating the connect status and a error code and error message
/// string when the connection failed</returns>
public StorageDeviceOpenResult Open()
{
_certTrusted = true;
ConditionalFileLogger.Log($"FTPStorageDevice.Open - Host: {Name}, port: {Port}, account: {AccountName}, connectionMode: {FTPConnectionMode}, tlsProtocol: {SslProtocol.ToString()}");
var result = new StorageDeviceOpenResult() { Status = ConnectStatus.DriveNotAvailable };
if (string.IsNullOrEmpty(AccountName) ||
string.IsNullOrEmpty(Password))
{
result.Status = ConnectStatus.CouldNotAuthenticate;
return result;
}
try
{
// Setup FtpClient
NetworkCredential credential = new NetworkCredential(AccountName, Password);
_ftpClient = new FtpClient(Host, Port, credential);
if (ConditionalFileLogger.Level == ConditionalFileLogger.LoggingLevel.Detail)
{
FtpTrace.LogFunctions = true;
FtpTrace.LogToConsole = true;
_ftpClient.OnLogEvent = OnFTPLogEvent;
}
else
{
FtpTrace.LogFunctions = false;
FtpTrace.LogToConsole = false;
}
var offset = DateTimeOffset.Now.Offset;
_ftpClient.TimeZone = 2; // Time zone of server should (with LIST) and must (with MLSD) be in UTC
_ftpClient.TimeConversion = FtpDate.ServerTime;
if (FTPConnectionMode != 2)
{
// Set _certValidationPending = true to protect against a endless loop when FluentFTP
// keeps on calling connect() internally
_certValidationPending = true;
_ftpClient.EncryptionMode = FTPConnectionMode == 0 ? FtpEncryptionMode.Explicit : FtpEncryptionMode.Implicit;
// If SslProtocol == TlsProtocol.LetOsDecide then let .NET sslstream pick the highest and most relevant
// TLS protocol (it will propose TLS 1.2 and TLS 1.3).
_ftpClient.SslProtocols = SslProtocol == TlsProtocol.LetOsDecide ? SslProtocols.None : SslProtocols.Tls12;
_ftpClient.ValidateAnyCertificate = true;
if (SslProtocol == TlsProtocol.LetOsDecide)
{
// Set _ftpClient.StaleDataCheck = false because we have seen valid stale data coming up
// on a Synology NAS FTP server when connecting using TLS 1.3.
// The check for TlsProtocol.LetOsDecide is not 100% correct because if a server doesn't support
// TLS 1.3 the connection will be TLS 1.2 with no check for state data.
_ftpClient.StaleDataCheck = false;
}
_ftpClient.ValidateCertificate += _ftpClient_ValidateCertificate;
// Get all trusted certifications in _trustedCerts (will be used in _ftpClient_ValidateCertificate)
var folder = Windows.Storage.ApplicationData.Current.LocalFolder;
string filePath = $"{folder.Path}\\trusted_certs.json";
if (File.Exists(filePath))
{
ConditionalFileLogger.Log("FTPStorageDevice.Initialize - Extract trusted certificates list");
DataContractJsonSerializer serializer = new DataContractJsonSerializer(typeof(List<TrustedCert>));
using (FileStream fs = File.OpenRead(filePath))
{
_trustedCerts = (List<TrustedCert>)serializer.ReadObject(fs);
fs.Close();
}
ConditionalFileLogger.Log($"FTPStorageDevice.Initialize - File contains {_trustedCerts.Count} entries");
}
else
{
ConditionalFileLogger.Log("FTPStorageDevice.Initialize - There is no trusted certificates list");
}
}
// Set DataConnectionType to PASV. Have seen a server that responds with 229 on EPSV request but then
// fails to accept the connection for a GetListing request.
// PASV is then OK since FluentFTP will anyhow then use EPSV when IP6 is used.
// _ftpClient.DataConnectionType = FtpDataConnectionType.PASV;
// Connect to the server
_ftpClient.Connect();
_certValidationPending = false;
if (_ftpClient.IsConnected)
{
result.Status = ConnectStatus.Connected;
FtpRootDirectory = _ftpClient.GetWorkingDirectory();
ConditionalFileLogger.Log("FTPStorageDevice.Initialize - SUCCESS");
}
else
{
ConditionalFileLogger.Log("FTPStorageDevice.Initialize - NOT CONNECTED");
}
}
catch (FtpSecurityNotAvailableException e1)
{
result.Status = ConnectStatus.TLSNotSupported;
result.ErrorCode = e1.HResult;
result.ErrorMessage = e1.Message;
ConditionalFileLogger.Log($"FTPStorageDevice.Initialize - FAIL-1, ErrorCode: {e1.HResult}, {e1.Message}");
}
catch (FtpAuthenticationException e2)
{
result.Status = e2.CompletionCode.Equals("421") ? ConnectStatus.DriveNotAvailable : ConnectStatus.AccountNotRegisteredAnymore; // AuthenticateRequestResult.SignInState.ServiceNotAvailable : AuthenticateRequestResult.SignInState.AccountNotRegistered;
result.ErrorCode = e2.HResult;
result.ErrorMessage = e2.Message;
ConditionalFileLogger.Log($"FTPStorageDevice.Initialize - FAIL-2, ErrorCode: {e2.HResult}, {e2.Message}");
}
catch (AuthenticationException e3)
{
result.Status = _certTrusted ? ConnectStatus.AccountNotRegisteredAnymore : ConnectStatus.UntrustedCertificate; // AuthenticateRequestResult.SignInState.AccountNotRegistered : AuthenticateRequestResult.SignInState.CertificateError;
result.ErrorCode = e3.HResult;
result.ErrorMessage = e3.Message;
ConditionalFileLogger.Log($"FTPStorageDevice.Initialize - FAIL-3, ErrorCode: {e3.HResult}, {e3.Message}");
}
catch (Exception ex)
{
// 0x80131515: tls problem
// 0x80131500: tls problem or wrong address
// 0x80004004: wrong address
if (FTPConnectionMode != 2 &&
(ex.HResult & 0xFFFF00) == 0x131500)
{
result.Status = _certTrusted ? ConnectStatus.CouldNotAuthenticate : ConnectStatus.UntrustedCertificate;
}
else
{
result.Status = ConnectStatus.DriveNotAvailable; // AuthenticateRequestResult.SignInState.Error;
}
result.ErrorCode = ex.HResult;
result.ErrorMessage = ex.Message;
ConditionalFileLogger.Log($"FTPStorageDevice.Initialize - FAIL-4, ErrorCode: {ex.HResult}, {ex.Message}");
}
return result;
}
public void Close()
{
if (_ftpClient != null &&
_ftpClient.IsConnected)
{
_ftpClient.Disconnect();
_ftpClient.Dispose();
}
_ftpClient = null;
}
The code for the certificate validation event is given in an earlier comment.
The reason for a FTPStorageDevice is that my app must support different kind of storage devices such as: disk drives (Mass Storage Devices), MTP devices, OneDrive, WebDav, FTP servers, and SFTP servers. Each of those 'devices' have there own class, derived from IStorageDevice and have a common interface for accessing it: open, close, read directory, create directory/file, etc.
If I try to use Connect with None then the CLient is send a TLS1.2 Communication (i see it in Wireshark). The response is a "550 TLS handshake failed". If I try with "TLS1.3" then no handshake is made (in Wireshare no additional communication)
@MyKeySoftMK
See attached picture for a Wireshark screenshot what more or less should happen after the server responds with "234 AUTH TLS successfull" (frame 90 in the picture).
I have some News:
If i add following Registry Entries, then the section supported_versions is added and have the TLS1.3 (Now I have following exception: Die lokale Sicherheitsautorität (LSA) ist nicht erreichbar.)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
But in this article i found the statement, that TLS1.3 not workiing in Windows10 (https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-). But for me is important, that the class implement the TLS1.3 by it selfs. My Application must be run on Windows 2012 R2. But when I see, that .NET / FluentFTP only use the OS-SChannels, than is it the wrong way for me an my app
Please confirm
@MyKeySoftMK I am afraid you are right. I didn't know that you are on Windows 2012R2. That is a rather old system and if TLS1.2 is not possible with the targetted FTP server then you have to look for an alternative. That will be difficult I think.
Is it possible to access the server using SFTP? That is not FTP but a protocol that lets you transfer files and folders using Secure Shell. It is a lot easier than FTP(S) and in away much better. If your server allows it then SSH.NET is the library that you will want to use. SSH.NET supports TLS 1.2 and TLS 1.3 without relying on sslstream (sChannel). I think it uses an own implementation of all the security, encryption stuff.
@MyKeySoftMK I am afraid you are right. I didn't know that you are on Windows 2012R2. That is a rather old system and if TLS1.2 is not possible with the targetted FTP server then you have to look for an alternative. That will be difficult I think.
I find out, that WinSCP and FileZilla can connect the server without problems - this programs have ther own TLS1.3 inside (maybe). For WinSCP i found a Warpper-Class - but they would be refractor my complete app (WinSCP will be part of the program, when I use this way)
@MyKeySoftMK That is correct. You will have to find a way to make sure that the WinSCP executable is installed when you install your program. That is not ideal. Did you try to connect to the server using WinSCP and setting the File Protocol to SFTP? Maybe it works. If so, then I would go for a SSH.NET based client. I can give you the code to accomplish this.
@JosHuybrighs I have testet the SSH.NET - but they didn´t work. Only FTPS is allowed
@robinrodricks I find this actual project in github https://github.com/whSwitching/TLSHandler - is it possible to implement it in your FluentFTP Project? So i can imagine that you are not OS depend was TLS 1.3
@MyKeySoftMK buddy..... Computer OS: Windows 10 / Visual Studio 2022 This is what you filled in.
Maybe I should have been more clear, this place is to fill in the details about the computer that is RUNNING FluentFTP. Even I had no idea you were on Win2012.
@JosHuybrighs - https://github.com/robinrodricks/FluentFTP/issues/922
@MyKeySoftMK buddy.....
Computer OS: Windows 10 / Visual Studio 2022This is what you filled in.Maybe I should have been more clear, this place is to fill in the details about the computer that is RUNNING FluentFTP. Even I had no idea you were on Win2012.
My developer machine is Windows 10 - and on this machine is it not working. So my information to you, that I use Windows 10 is right. In the beginning i didn´t know that it is important, that I will it use on Window 2012. I didn´t understand the parts that you use to connect via TLS1.3. But in the meantime i investigate and understand how all works together.
Sorry for this missunderstanding