AUTH TLS fails every time!

[Graphic Equaliser 0]

I am not sure of what I'm doing and was hoping for some pointers to connect to a TLSv1.2 only FTP server. I am using Borland C++ Builder 5 (I know - it's ancient) and these versions of the components and OpenSSL :-

 

CompanyName=OverByte (F. Piette)
FileDescription=ICS Components for BCB5
FileVersion=2.0.0.22
InternalName=IcsBcb50
LegalCopyright=(c) 1997-2000 by François PIETTE

 

OpenSSL libeay32.dll and ssleay32.dll version 1.0.2zg (v 1.0.2.32)

 

I am not sure what SslContext2->CipherList should be - I currently have "-ALL:+TLSv1.2:+TLSv1.3:HIGH"

 

My sequence of ICS function calls (where mjftp is the FtpCli component) is :-

 

mjftp->HostName="ns130.askia.com"; mjftp->UserName="RSM.user"; mjftp->PassWord="xxxxx";

mjftp->Port="5022"; mjftp->SslType=sslTypeAuthTls;

if (!mjftp->Open()) return "**ERROR** MJFTP Open Failed - "+mjftp->LastResponse;
if (!mjftp->Auth()) return "**ERROR** MJFTP Auth Failed - "+mjftp->LastResponse;

if (!mjftp->User()) return "**ERROR** MJFTP USER Failed - "+mjftp->LastResponse;
if (!mjftp->Pass()) return "**ERROR** MJFTP PASS Failed - "+mjftp->LastResponse;

...

 

but it always comes back with "**ERROR** MJFTP Auth Failed - 535 SSL handshake failed. Error #1"

 

What am I doing wrong?

[Angus Robertson 526]

Sorry, we really can not support very old ICS versions, you don't give the ICS version, but OpenSSL 1.0.2 has not been supported for a few years. 

 

If you report a better handshake error, as later ICS versions do, you might get more information about the error.  It might simply be an expired SSL certificate.  Or 100 other things.

 

Angus

 

[Graphic Equaliser 0]

Thanks for the reply Angus. Please could you indicate the format of the CipherList string for these 2 ciphers :-

 

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH x25519 (eq. 3072 bits RSA)   FS
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH x25519 (eq. 3072 bits RSA)   FS

 

[Angus Robertson 526]

For clients, it is easier to allow all supported ciphers to be used, and let the server select the best cipher, if you want a connection.  Only worry about cipher lists if the server uses poor ciphers by default, which is rare.

 

Angus

 

[Graphic Equaliser 0]

The CipherList property already contains "ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH" which looks pretty weak by today's standards. What should I use in its place nowadays with TLSv1.2?

[Angus Robertson 526]

The cipher list is highly unlikely to be causing your connection failure, unless the server is actually reporting cipher errors, such as: version too low, no shared cipher, unsupported protocol, wrong SSL version, bad key share, which are errors from one of my ICS servers this morning, probably hackers. 

 

You really need to get the real handshake error, but I can not help since you have not explained what ICS version from what date you are using, from the FTP unit.

 

Angus

[Graphic Equaliser 0]

535 SSL handshake failed. Error #1

 

FileDescription=ICS Components for BCB5
FileVersion=2.0.0.22

Files dated 19/10/2008 16:38:46

Edited March 1 by Graphic Equaliser

[Angus Robertson 526]

You've already said all that, but that is not an OpenSSL error message, and the file description of a package file is not an ICS version number.  A package created in 2008 would have been ICS V7, long obsolete, numerous SSL/TLS improvements since then. 

 

Angus

[Graphic Equaliser 0]

But nothing beyond V7 compiles as a component in BCB5, so I'm stuck! Help! Is there anyone who can get the later Pascal code to compile into a BCB5 installation package (.bpk file)?

[DelphiUdIT 132]

@Graphic Equaliser

You are using a too old SSL library. May be you are using 0.9.8 OpenSSL and those are the ciphers used:  only the SSL_v3  is supported.
You will not be able to connect to any site, 'cause your software should use TLS protocols (TLS1.3 or TLS1.2 should be the best).

You must upgrade to a new ICS package. Try to use the Community Edition of C++ or the free command line compiler : https://www.embarcadero.com/free-tools/ccompiler
 

Quote

openssl-0.9.8>openssl ciphers -v
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
IDEA-CBC-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=MD5
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

 

Edited March 1 by DelphiUdIT

[Angus Robertson 526]

He is not using 0.9.8 but 1.0.2zg, although is not a version we ever supported (it's a privately supported version).

 

The last public release was 1.0.2u.  All versions of 1.0.2 support TLS/1,2 and modern ciphers so should work with all servers today. 

 

Angus

 

 

[DelphiUdIT 132]

1 hour ago, Angus Robertson said:

He is not using 0.9.8 but 1.0.2zg, although is not a version we ever supported (it's a privately supported version).

The last public release was 1.0.2u.  All versions of 1.0.2 support TLS/1,2 and modern ciphers so should work with all servers today. 

Angus

I'm sorry, I miss SSL version ... But on 2008 (the packet that he indicate) OpenSSL in use was 0.98 ... only two years later OpenSSL 1.0.0 was published. And ICS surely (or not ???) didn't had TLS "implemented" with OpenSSL 0.98.
 

So, may be that is working with old ICS and new OpenSSL but with SSLv3 protocol.
But that is my thinking, for sure he should upgrade his environment.

Edited March 1 by DelphiUdIT

[Angus Robertson 526]

ICS checks the OpenSSL version on start-up and fails if it does not support the version found, so he could not use 1.0.2 if ICS did not support it.  The 2008 date might be wrong since that comes from a file resource, and ICS does not set any versions or dates in file resources, or if it does I've not updated them in 15 years.  Date and versions are important in our applications, but not packages.

 

Angus

 

[Graphic Equaliser 0]

Angus - thank you - 1.0.2 openssl and ICSv7 work with modern TLSv1.2 servers, except the server is doing something weird and I can't pinpoint it. I can't get as far as the username and password, so can you "sniff" anything different on it, at the AUTH TLS stage? The address is ns130.askia.com on port 5022 using FTP and auth TLS.

Edited March 1 by Graphic Equaliser

[Angus Robertson 526]

Works for me, using OpenSSL v3, also connects with TLSv1.3.  Can not test with old versions of OpenSSL, ICS does not work with them any longer. 

 

19:01:16:550 Connect/Logon to FTP Server: ns130.askia.com:5022
19:01:16:591 < 220-FileZilla Server 1.8.1
19:01:16:591 < 220 Please visit https://filezilla-project.org/
19:01:16:591 FTP Control Session Connected OK to: 85.13.217.130:5022
19:01:16:611 > AUTH SSL
19:01:16:641 < 234 Using authentication type TLS.
19:01:16:722 ! SSL Connected OK with TLSv1.2, cipher ECDHE-RSA-AES256-GCM-SHA384, key auth RSA, key exchange ECDH, encryption AESGCM(256), message auth AEAD
19:01:16:722  Connected OK Again

 

Try connecting to the ICS FTP server on ics.ftptest.org.  It may log something useful.

 

Angus

 

Edited March 1 by Angus Robertson

[Graphic Equaliser 0]

Thanks Angus. I couldn't see anything my end. When I used the IcsSSLFTPTst.exe demo app, I get this on Connect :-

 

Winsock version 2.2
WinSock 2.0
Running
Executing Requested Command
< 220-ics.ftptest.org
<
< 220-ICS TFtpServer (c) 1998-2023 F. Piette V9.1
< 220 Server: MAGPUB5 at 2024-03-05T10:34:54
Session Connected, error = 0
> AUTH TLS
< 234 Using authentication type TLS
! Init SSL failed Unsupported OpenSSL version (0x1000220F) !
Supported versions are 0x0090805F - 0x0090805F
FileName: C:\ics_ssl_demos\LIBEAY32.DLL
Request 5 Done.
StatusCode = 550
LastResponse was : '550 Unsupported OpenSSL version (0x1000220F) !
Supported versions are 0x0090805F - 0x0090805F
FileName: C:\ics_ssl_demos\LIBEAY32.DLL'
Error = 550 (550 Unsupported OpenSSL version (0x1000220F) !
Supported versions are 0x0090805F - 0x0090805F
FileName: C:\ics_ssl_demos\LIBEAY32.DLL)
Command Failure

 

[Angus Robertson 526]

ICS V9.,1 does not support old versions of OpenSSL and will never attempt to open them, I assume you've modified the source code in an attempt to do so. 

 

Did you attempt to connect to our server with your original application that failed with Filezillar server?

 

Angus

 

[Graphic Equaliser 0]

Yes, I can connect to your server. I can also connect to my server, but then I have problems getting a directory listing. I get this :-

 

Winsock version 2.2
WinSock 2.0
Running
Executing Requested Command
< 220-FileZilla Server 1.8.1
< 220 Please visit https://filezilla-project.org/
Session Connected, error = 0
> AUTH TLS
< 234 Using authentication type TLS.
! SSL Connected OK with TLSv1.3, cipher TLS_AES_256_GCM_SHA384, encryption AESGCM(256), message auth AEAD
SSL handshake done, error #0 - SSL Connected OK with TLSv1.3, cipher TLS_AES_256_GCM_SHA384, encryption AESGCM(256), message auth AEAD
> USER RSM.User
< 331 Please, specify the password.
> PASS *****
< 230 Login successful.
> CWD /wwwroot
< 250 CWD command successful
> PASV
< 227 Entering Passive Mode (85,13,217,130,8,155)
! Passive connection requested to: 85.13.217.130:2203, control channel: 85.13.217.130
> LIST
! Data Session closed
! Local File Stream Closed
< 425 Error while transfering data: PROT C is not allowed when the control connection is secure. Use PROT P.
Request 11 Done.
StatusCode = 425
LastResponse was : '425 Error while transfering data: PROT C is not allowed when the control connection is secure. Use PROT P.'
Error = 425 (425 Error while transfering data: PROT C is not allowed when the control connection is secure. Use PROT P.)

 

[Angus Robertson 526]

So now you are using a recent ICS version with OpenSSL 3, since you are connecting with TLSv1.3?

 

But you are probably using the old TSslFtpClient low level component that requires you to send to the correct FTP command in the correct order. 

 

As the error message suggests, you have not sent the PROT command with Protlevel=P. 

 

If you use the TIcsFtpMulti high level component instead, this is all done for you, see the sample OverbyteIcsXferTst.

 

Or if you want a simpler sample, build  OverbyteIcsSnippets and click the FTP Download One File button, the code is in a single function.

 

Angus

 

Edited March 11 by Angus Robertson

[Graphic Equaliser 0]

Thanks for all your help Angus. Actually, that last example was the latest downloaded OverbyteIcsSslFtpTst.exe (dated 14/8/2023 11:44, version 1) from the demo apps on the Overbyte website. I suspect there may be a bug in it. When I issue Prot P after the error occurs, and then request a directory listing, I get this :-

 

> PROT P
< 200 Protection level set to P
Request 52 Done.
StatusCode = 200
LastResponse was : '200 Protection level set to P'
No error
Executing Requested Command
> PASV
< 227 Entering Passive Mode (85,13,217,130,11,119)
! Passive connection requested to: 85.13.217.130:2935, control channel: 85.13.217.130
> LIST
< 150 About to start data transfer.
! SSL Connected OK with TLSv1.3, cipher TLS_AES_256_GCM_SHA384, encryption AESGCM(256), message auth AEAD
SSL handshake done, error #0 - SSL Connected OK with TLSv1.3, cipher TLS_AES_256_GCM_SHA384, encryption AESGCM(256), message auth AEAD
< 425 Unable to build data connection: TLS session of data connection not resumed.
! Data Session closed
! Local File Stream Closed
! RETR/LIST/NLST Failed
Request 7 Done.
StatusCode = 425
LastResponse was : '425 Unable to build data connection: TLS session of data connection not resumed.'
Error = 425 (425 Unable to build data connection: TLS session of data connection not resumed.)

 

Edited March 11 by Graphic Equaliser

[Angus Robertson 526]

The 425 error from the server suggests it does not like the SSL/TLS connection, and yet we think it was okay, and it accepted the AUTH connection earlier. Nothing wrong with the commands being sent. SSL/TLS can be strange like that. 

 

BTW, I updated that old compiled demo today with a new version, although unlikely to behave any differently. 

 

Angus

 

[Angus Robertson 526]

I've reproduced a 425 FTP error after updating my FileZilla server to the latest on one of my public servers, and updating the Windows Firewall rules which FileZilla ignores (I have Delphi firewall functions that my servers use).  

 

I can access FileZilla fine from the public server, but not remotely, although my error is slightly different: 425 Unable to build data connection: EINVAL - Invalid argument passed

 

So this is all done to firewall port ranges, not sure yet if Windows Firewall or the external pfSense firewall, need to investigate.  Is your FileZilla server behind a firewall. 

 

Update: FileZilla is complaining:  [Error] Data peer IP [217.146.115.82] differs from control peer IP [217.146.115.84]: this shouldn't happen, aborting the data connection.

I have multiple outgoing IP addresses, and it does not like this. 

 

Update 2: After adding a router rule, I've got past the IP address error and the data connection now works.  You really need the FileZilla log message for the 425 error to understand it. 

 

> PASV
< 227 Entering Passive Mode (217,146,102,143,82,34)
! Passive connection requested to: 217.146.102.143:21026, control channel: 217.146.102.143
> MLSD
< 150 About to start data transfer.
! SSL Connected OK with TLSv1.3, cipher TLS_AES_256_GCM_SHA384, encryption AESGCM(256), message auth AEAD
 Connected OK Again
< 226 Operation successful
! Data Session closed
! Local File Stream Closed
! 245bytes received/sent in 31 milliseconds

 

Angus

 

 

Edited March 12 by Angus Robertson

[Graphic Equaliser 0]

[Angus Robertson 526]

You will find the OverbyteIcsXferTst sample easier to use, I was using the TIcsFtpMulti component for my tests. 

 

There is really nothing you can do for these errors, it's down to the server, firewalls and configuration.  They need to tell you why connections fail. 

 

Or does the server work with FileZilla Client, perhaps there is something clever going on.

 

Angus

[Graphic Equaliser 0]

When I connect with FileZilla client, it presents me with this certificate, and connects if I accept it :-

 

 

Edited March 13 by Graphic Equaliser