SSL Connection Failure

Leeward

2011-03-03 21:37:19

Hi,

I just encountered this problem today because I'm unable to authenticate into a server running FTPS (Explicit) on port 21.

[16:15:31] AUTH TLS
[16:15:31] 234 AUTH SSL command successful.
[16:15:31] SSL: Error (Error=0x8009030f).
[16:15:31] The message or signature supplied for verification has been altered
[16:15:31] Client closed the connection.
[16:15:31] Connect failed. Waiting to retry (30s)...

Another software can authenticate:

16:22:41 Command: AUTH TLS
16:22:41 Response: 234 AUTH SSL command successful.
16:22:41 Status: Initializing TLS...
16:22:41 Status: Verifying certificate...
16:22:50 Command: USER test
16:22:50 Status: TLS/SSL connection established.
16:22:50 Response: 331 Password required for test.
16:22:50 Command: PASS **********
16:22:50 Response: 230 User test logged in.
16:22:50 Command: SYST
16:22:50 Response: 215 UNIX Type: L8
16:22:51 Command: PBSZ 0
16:22:51 Response: 200 PBSZ command successful (PBSZ=0).
16:22:51 Command: PROT P
16:22:51 Response: 200 Protection level set to Private.
16:22:51 Status: Connected
16:22:51 Status: Retrieving directory listing...

The error might be related to this link.

Finally, the System Info of my computer:

+- System -----------------------------
Microsoft Windows 7 Enterprise Edition
Service Pack 1 (Build 7601)

CPU Speed : 2793 MHz
Total Memory : 8117 MB
Free Memory : 1593 MB

+- SmartFTP ---------------------------
Version : 4.0.1169.0
Time Stamp : 2011-02-24 05:51:51
Platform : x64
Id : 400096762
Maintenance : 2011-03-03
Days in use : 27

+- Language ---------------------------
en-US

+- Internet Explorer ------------------
Version : 8.0.7601.17514

+- Winsock ----------------------------
Winsock : 2.2

2011-03-03 21:58:16

It looks like an interoperability problem between Schannel in Microsoft Windows 7 SP1 and the FTP server. What FTP server is running on the server? proftpd 1.3? Can you post the log from the remote browser? Thanks.

Update: Did you already try this workaround: https://www.smartftp.com/support/kb/ssl- ... f2597.html

Leeward

2011-03-04 03:01:23

It looks like an interoperability problem between Schannel in Microsoft Windows 7 SP1 and the FTP server. What FTP server is running on the server? proftpd 1.3? Can you post the log from the remote browser? Thanks.

Update: Did you already try this workaround: https://www.smartftp.com/support/kb/ssl ... f2597.html

The FTP server is running on a Linux based NAS (Synology DiskStation), but I'm not sure what exactly it is.

By "log from the ewmote browser" do you mean:
[21:54:55] SmartFTP v4.0.1169.0
[21:54:55] Resolving host name "*.*.*.*"
[21:54:55] Connecting to *.*.*.* Port: 21
[21:54:56] Connected to *.*.*.*.
[21:54:56] 220 ds1 FTP server ready.
[21:54:56] AUTH TLS
[21:54:56] 234 AUTH SSL command successful.
[21:54:56] SSL: Error (Error=0x80090330).
[21:54:56] The specified data could not be decrypted.
[21:54:56] Client closed the connection.
[21:54:56] Connect failed. Waiting to retry (30s)...

I tried the same on a Win7 Ultimate x64 and it works fine.
So the Win7 Enterprise x64 that doesn't work may have some "special" setting...perhaps came from the domain controller.

I'll try the workaround and let you know.

Thanks!

*** Update *** Unfortunately changing the registry setting (and rebooting) didn't help:-(

Leeward

2011-03-04 03:53:29

FYI I just renewed the license, since today is the last day of the previous license:

Id : 400096762
Maintenance : 2013-03-04

Leeward

2011-03-04 20:03:12

I guess I have a theory...
When it's not working, I'm on a network where the traffic destinated to port 21 is somehow monitored and altered, because it is treated as regular FTP?
Using port other than 21 for server (FTPS Explicit) seems solved the issue.
(and when I initially wrote "another software works", I wasn't aware that it's actually running on a different network)

2011-03-04 20:08:12

If your other FTP client doesn't use schannel (most of them use openssl) then your theory is most likely correct. To see if it's a problem with all servers or just a particular one you can connect to our server ftp.smartftp.com (Login: Anonymous) with FTP TLS Explicit.

Leeward

2011-03-04 20:49:57

If your other FTP client doesn't use schannel (most of them use openssl) then your theory is most likely correct. To see if it's a problem with all servers or just a particular one you can connect to our server ftp.smartftp.com (Login: Anonymous) with FTP TLS Explicit.

Here're the test data:

[15:41:33] SmartFTP v4.0.1169.0
[15:41:33] Resolving host name "ftp.smartftp.com"
[15:41:34] Connecting to 75.126.59.170 Port: 21
[15:41:34] Connected to ftp.smartftp.com.
[15:41:34] 220 SmartFTP Server ready...
[15:41:34] AUTH TLS
[15:41:34] 234 AUTH command ok; starting SSL connection.
[15:41:34] SSL: Error (Error=0x80090308).
[15:41:34] The token supplied to the function is invalid
[15:41:34] Client closed the connection.
[15:41:34] Connect failed. Waiting to retry (30s)...

Another software on the same network:

Status: Resolving address of ftp.smartftp.com
Status: Connecting to 75.126.59.170:21...
Status: Connection established, waiting for welcome message...
Response: 220 SmartFTP Server ready...
Command: AUTH TLS
Response: 234 AUTH command ok; starting SSL connection.
Status: Initializing TLS...
Error: GnuTLS error -73: ASN1 parser: Error in TAG.
Error: Could not connect to server
Status: Waiting to retry...

I'll see if I can ask our system administrator to take a look.

Does SmartFTP use SChannel or OpenSSL?

2011-03-04 21:04:57

SmartFTP uses Schannel for TLS connection. Your other FTP client uses GnuTLS. And yes the same problem with both SmartFTP and your other FTP client. So the problem is most likely somewhere else (e.g. application firewall).