Graphic Equaliser 0 Posted February 29 I am not sure of what I'm doing and was hoping for some pointers to connect to a TLSv1.2 only FTP server. I am using Borland C++ Builder 5 (I know - it's ancient) and these versions of the components and OpenSSL :- CompanyName=OverByte (F. Piette) FileDescription=ICS Components for BCB5 FileVersion=2.0.0.22 InternalName=IcsBcb50 LegalCopyright=(c) 1997-2000 by François PIETTE OpenSSL libeay32.dll and ssleay32.dll version 1.0.2zg (v 1.0.2.32) I am not sure what SslContext2->CipherList should be - I currently have "-ALL:+TLSv1.2:+TLSv1.3:HIGH" My sequence of ICS function calls (where mjftp is the FtpCli component) is :- mjftp->HostName="ns130.askia.com"; mjftp->UserName="RSM.user"; mjftp->PassWord="xxxxx"; mjftp->Port="5022"; mjftp->SslType=sslTypeAuthTls; if (!mjftp->Open()) return "**ERROR** MJFTP Open Failed - "+mjftp->LastResponse; if (!mjftp->Auth()) return "**ERROR** MJFTP Auth Failed - "+mjftp->LastResponse; if (!mjftp->User()) return "**ERROR** MJFTP USER Failed - "+mjftp->LastResponse; if (!mjftp->Pass()) return "**ERROR** MJFTP PASS Failed - "+mjftp->LastResponse; ... but it always comes back with "**ERROR** MJFTP Auth Failed - 535 SSL handshake failed. Error #1" What am I doing wrong? Share this post Link to post
Angus Robertson 577 Posted February 29 Sorry, we really can not support very old ICS versions, you don't give the ICS version, but OpenSSL 1.0.2 has not been supported for a few years. If you report a better handshake error, as later ICS versions do, you might get more information about the error. It might simply be an expired SSL certificate. Or 100 other things. Angus Share this post Link to post
Graphic Equaliser 0 Posted February 29 Thanks for the reply Angus. Please could you indicate the format of the CipherList string for these 2 ciphers :- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH x25519 (eq. 3072 bits RSA) FS TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH x25519 (eq. 3072 bits RSA) FS Share this post Link to post
Angus Robertson 577 Posted February 29 For clients, it is easier to allow all supported ciphers to be used, and let the server select the best cipher, if you want a connection. Only worry about cipher lists if the server uses poor ciphers by default, which is rare. Angus Share this post Link to post
Graphic Equaliser 0 Posted March 1 The CipherList property already contains "ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH" which looks pretty weak by today's standards. What should I use in its place nowadays with TLSv1.2? Share this post Link to post
Angus Robertson 577 Posted March 1 The cipher list is highly unlikely to be causing your connection failure, unless the server is actually reporting cipher errors, such as: version too low, no shared cipher, unsupported protocol, wrong SSL version, bad key share, which are errors from one of my ICS servers this morning, probably hackers. You really need to get the real handshake error, but I can not help since you have not explained what ICS version from what date you are using, from the FTP unit. Angus Share this post Link to post
Graphic Equaliser 0 Posted March 1 (edited) 535 SSL handshake failed. Error #1 FileDescription=ICS Components for BCB5 FileVersion=2.0.0.22 Files dated 19/10/2008 16:38:46 Edited March 1 by Graphic Equaliser Share this post Link to post
Angus Robertson 577 Posted March 1 You've already said all that, but that is not an OpenSSL error message, and the file description of a package file is not an ICS version number. A package created in 2008 would have been ICS V7, long obsolete, numerous SSL/TLS improvements since then. Angus Share this post Link to post
Graphic Equaliser 0 Posted March 1 But nothing beyond V7 compiles as a component in BCB5, so I'm stuck! Help! Is there anyone who can get the later Pascal code to compile into a BCB5 installation package (.bpk file)? Share this post Link to post
DelphiUdIT 187 Posted March 1 (edited) @Graphic Equaliser You are using a too old SSL library. May be you are using 0.9.8 OpenSSL and those are the ciphers used: only the SSL_v3 is supported. You will not be able to connect to any site, 'cause your software should use TLS protocols (TLS1.3 or TLS1.2 should be the best). You must upgrade to a new ICS package. Try to use the Community Edition of C++ or the free command line compiler : https://www.embarcadero.com/free-tools/ccompiler Quote openssl-0.9.8>openssl ciphers -v DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Edited March 1 by DelphiUdIT Share this post Link to post
Angus Robertson 577 Posted March 1 He is not using 0.9.8 but 1.0.2zg, although is not a version we ever supported (it's a privately supported version). The last public release was 1.0.2u. All versions of 1.0.2 support TLS/1,2 and modern ciphers so should work with all servers today. Angus Share this post Link to post
DelphiUdIT 187 Posted March 1 (edited) 1 hour ago, Angus Robertson said: He is not using 0.9.8 but 1.0.2zg, although is not a version we ever supported (it's a privately supported version). The last public release was 1.0.2u. All versions of 1.0.2 support TLS/1,2 and modern ciphers so should work with all servers today. Angus I'm sorry, I miss SSL version ... But on 2008 (the packet that he indicate) OpenSSL in use was 0.98 ... only two years later OpenSSL 1.0.0 was published. And ICS surely (or not ???) didn't had TLS "implemented" with OpenSSL 0.98. So, may be that is working with old ICS and new OpenSSL but with SSLv3 protocol. But that is my thinking, for sure he should upgrade his environment. Edited March 1 by DelphiUdIT Share this post Link to post
Angus Robertson 577 Posted March 1 ICS checks the OpenSSL version on start-up and fails if it does not support the version found, so he could not use 1.0.2 if ICS did not support it. The 2008 date might be wrong since that comes from a file resource, and ICS does not set any versions or dates in file resources, or if it does I've not updated them in 15 years. Date and versions are important in our applications, but not packages. Angus Share this post Link to post
Graphic Equaliser 0 Posted March 1 (edited) Angus - thank you - 1.0.2 openssl and ICSv7 work with modern TLSv1.2 servers, except the server is doing something weird and I can't pinpoint it. I can't get as far as the username and password, so can you "sniff" anything different on it, at the AUTH TLS stage? The address is ns130.askia.com on port 5022 using FTP and auth TLS. Edited March 1 by Graphic Equaliser Share this post Link to post
Angus Robertson 577 Posted March 1 (edited) Works for me, using OpenSSL v3, also connects with TLSv1.3. Can not test with old versions of OpenSSL, ICS does not work with them any longer. 19:01:16:550 Connect/Logon to FTP Server: ns130.askia.com:5022 19:01:16:591 < 220-FileZilla Server 1.8.1 19:01:16:591 < 220 Please visit https://filezilla-project.org/ 19:01:16:591 FTP Control Session Connected OK to: 85.13.217.130:5022 19:01:16:611 > AUTH SSL 19:01:16:641 < 234 Using authentication type TLS. 19:01:16:722 ! SSL Connected OK with TLSv1.2, cipher ECDHE-RSA-AES256-GCM-SHA384, key auth RSA, key exchange ECDH, encryption AESGCM(256), message auth AEAD 19:01:16:722 Connected OK Again Try connecting to the ICS FTP server on ics.ftptest.org. It may log something useful. Angus Edited March 1 by Angus Robertson Share this post Link to post
Graphic Equaliser 0 Posted March 11 Thanks Angus. I couldn't see anything my end. When I used the IcsSSLFTPTst.exe demo app, I get this on Connect :- Winsock version 2.2 WinSock 2.0 Running Executing Requested Command < 220-ics.ftptest.org < < 220-ICS TFtpServer (c) 1998-2023 F. Piette V9.1 < 220 Server: MAGPUB5 at 2024-03-05T10:34:54 Session Connected, error = 0 > AUTH TLS < 234 Using authentication type TLS ! Init SSL failed Unsupported OpenSSL version (0x1000220F) ! Supported versions are 0x0090805F - 0x0090805F FileName: C:\ics_ssl_demos\LIBEAY32.DLL Request 5 Done. StatusCode = 550 LastResponse was : '550 Unsupported OpenSSL version (0x1000220F) ! Supported versions are 0x0090805F - 0x0090805F FileName: C:\ics_ssl_demos\LIBEAY32.DLL' Error = 550 (550 Unsupported OpenSSL version (0x1000220F) ! Supported versions are 0x0090805F - 0x0090805F FileName: C:\ics_ssl_demos\LIBEAY32.DLL) Command Failure Share this post Link to post
Angus Robertson 577 Posted March 11 ICS V9.,1 does not support old versions of OpenSSL and will never attempt to open them, I assume you've modified the source code in an attempt to do so. Did you attempt to connect to our server with your original application that failed with Filezillar server? Angus Share this post Link to post
Graphic Equaliser 0 Posted March 11 Yes, I can connect to your server. I can also connect to my server, but then I have problems getting a directory listing. I get this :- Winsock version 2.2 WinSock 2.0 Running Executing Requested Command < 220-FileZilla Server 1.8.1 < 220 Please visit https://filezilla-project.org/ Session Connected, error = 0 > AUTH TLS < 234 Using authentication type TLS. ! SSL Connected OK with TLSv1.3, cipher TLS_AES_256_GCM_SHA384, encryption AESGCM(256), message auth AEAD SSL handshake done, error #0 - SSL Connected OK with TLSv1.3, cipher TLS_AES_256_GCM_SHA384, encryption AESGCM(256), message auth AEAD > USER RSM.User < 331 Please, specify the password. > PASS ***** < 230 Login successful. > CWD /wwwroot < 250 CWD command successful > PASV < 227 Entering Passive Mode (85,13,217,130,8,155) ! Passive connection requested to: 85.13.217.130:2203, control channel: 85.13.217.130 > LIST ! Data Session closed ! Local File Stream Closed < 425 Error while transfering data: PROT C is not allowed when the control connection is secure. Use PROT P. Request 11 Done. StatusCode = 425 LastResponse was : '425 Error while transfering data: PROT C is not allowed when the control connection is secure. Use PROT P.' Error = 425 (425 Error while transfering data: PROT C is not allowed when the control connection is secure. Use PROT P.) Share this post Link to post
Angus Robertson 577 Posted March 11 (edited) So now you are using a recent ICS version with OpenSSL 3, since you are connecting with TLSv1.3? But you are probably using the old TSslFtpClient low level component that requires you to send to the correct FTP command in the correct order. As the error message suggests, you have not sent the PROT command with Protlevel=P. If you use the TIcsFtpMulti high level component instead, this is all done for you, see the sample OverbyteIcsXferTst. Or if you want a simpler sample, build OverbyteIcsSnippets and click the FTP Download One File button, the code is in a single function. Angus Edited March 11 by Angus Robertson Share this post Link to post
Graphic Equaliser 0 Posted March 11 (edited) Thanks for all your help Angus. Actually, that last example was the latest downloaded OverbyteIcsSslFtpTst.exe (dated 14/8/2023 11:44, version 1) from the demo apps on the Overbyte website. I suspect there may be a bug in it. When I issue Prot P after the error occurs, and then request a directory listing, I get this :- > PROT P < 200 Protection level set to P Request 52 Done. StatusCode = 200 LastResponse was : '200 Protection level set to P' No error Executing Requested Command > PASV < 227 Entering Passive Mode (85,13,217,130,11,119) ! Passive connection requested to: 85.13.217.130:2935, control channel: 85.13.217.130 > LIST < 150 About to start data transfer. ! SSL Connected OK with TLSv1.3, cipher TLS_AES_256_GCM_SHA384, encryption AESGCM(256), message auth AEAD SSL handshake done, error #0 - SSL Connected OK with TLSv1.3, cipher TLS_AES_256_GCM_SHA384, encryption AESGCM(256), message auth AEAD < 425 Unable to build data connection: TLS session of data connection not resumed. ! Data Session closed ! Local File Stream Closed ! RETR/LIST/NLST Failed Request 7 Done. StatusCode = 425 LastResponse was : '425 Unable to build data connection: TLS session of data connection not resumed.' Error = 425 (425 Unable to build data connection: TLS session of data connection not resumed.) Edited March 11 by Graphic Equaliser Share this post Link to post
Angus Robertson 577 Posted March 11 The 425 error from the server suggests it does not like the SSL/TLS connection, and yet we think it was okay, and it accepted the AUTH connection earlier. Nothing wrong with the commands being sent. SSL/TLS can be strange like that. BTW, I updated that old compiled demo today with a new version, although unlikely to behave any differently. Angus Share this post Link to post
Angus Robertson 577 Posted March 12 (edited) I've reproduced a 425 FTP error after updating my FileZilla server to the latest on one of my public servers, and updating the Windows Firewall rules which FileZilla ignores (I have Delphi firewall functions that my servers use). I can access FileZilla fine from the public server, but not remotely, although my error is slightly different: 425 Unable to build data connection: EINVAL - Invalid argument passed So this is all done to firewall port ranges, not sure yet if Windows Firewall or the external pfSense firewall, need to investigate. Is your FileZilla server behind a firewall. Update: FileZilla is complaining: [Error] Data peer IP [217.146.115.82] differs from control peer IP [217.146.115.84]: this shouldn't happen, aborting the data connection. I have multiple outgoing IP addresses, and it does not like this. Update 2: After adding a router rule, I've got past the IP address error and the data connection now works. You really need the FileZilla log message for the 425 error to understand it. > PASV < 227 Entering Passive Mode (217,146,102,143,82,34) ! Passive connection requested to: 217.146.102.143:21026, control channel: 217.146.102.143 > MLSD < 150 About to start data transfer. ! SSL Connected OK with TLSv1.3, cipher TLS_AES_256_GCM_SHA384, encryption AESGCM(256), message auth AEAD Connected OK Again < 226 Operation successful ! Data Session closed ! Local File Stream Closed ! 245bytes received/sent in 31 milliseconds Angus Edited March 12 by Angus Robertson Share this post Link to post
Angus Robertson 577 Posted March 12 You will find the OverbyteIcsXferTst sample easier to use, I was using the TIcsFtpMulti component for my tests. There is really nothing you can do for these errors, it's down to the server, firewalls and configuration. They need to tell you why connections fail. Or does the server work with FileZilla Client, perhaps there is something clever going on. Angus Share this post Link to post
Graphic Equaliser 0 Posted March 13 (edited) When I connect with FileZilla client, it presents me with this certificate, and connects if I accept it :- Edited March 13 by Graphic Equaliser Share this post Link to post