SSL3 alert write: fatal: protocol version with winscp 4.3.8

Advertisement

Guest

SSL3 alert write: fatal: protocol version with winscp 4.3.8

Hi

Today I and a college from mine tried to connect with an ftp server by using the WinSCP Gui and the following settings:
* File Protocol: FTP with SSL Explicit encryption
* Connection: Passive mode

Connection was successful, but as soon as we tried to browse to a remote folder, we got:
. 2012-06-13 16:17:24.807 SSL3 alert write: fatal: protocol version
. 2012-06-13 16:17:24.807 Disconnected from server

Then I tried version 4.3.7. With that version it worked without any problem. We are using Windows 7 / 64 Bits

Best regards
Josef

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,454
Location:
Prague, Czechia

Re: SSL3 alert write: fatal: protocol version with winscp 4.3.8

Thanks for yoru report.
It can be related to OpenSSL upgrade.
Can you please try it with both 5.0.7 and 5.0.6 beta?
https://sourceforge.net/projects/winscp/files/WinSCP/

Also, can you send me an email, so I can send you back a debug version of WinSCP to track the problem? Please include link back to this topic in your email. Also note in this topic that you have sent the email. Thanks.

You will find my address (if you log in) in my forum profile.

Reply with quote

Guest

Re: SSL3 alert write: fatal: protocol version with winscp 4.3.8

martin wrote:

Thanks for yoru report.
It can be related to OpenSSL upgrade.
Can you please try it with both 5.0.7 and 5.0.6 beta?
https://sourceforge.net/projects/winscp/files/WinSCP/

Also, can you send me an email, so I can send you back a debug version of WinSCP to track the problem? Please include link back to this topic in your email. Also note in this topic that you have sent the email. Thanks.

You will find my address (if you log in) in my forum profile.

Dear prikryl

With version 5.0.6 worked; however, with version 5.0.7 I got the same error message. You can send me the debug version to: <removed by admin>.

Best regards
Josef

Reply with quote

Guest

Re: SSL3 alert write: fatal: protocol version with winscp 4.3.8

Dear prikryl


We are using a BlackArmor NAS 220. You can setup a FTP Over SSL/TLS. I tried a fireware update, but there isn't one at the moment. I will try with another client. But right now I'm quite busy.

Best regards
Josef

Reply with quote

Advertisement

Guest

Re: SSL3 alert write: fatal: protocol version with winscp 4.3.8

Ok, I tried it with FieZilla

Unfortunatelly I got the same result: with the last version 3.5.3 didn't work. Then I tried 3.5.2 and it worked. I look for the error message:
GnuTLS alert 40: Handshake failed

And found this:
https://forum.filezilla-project.org/viewtopic.php?t=23280

In deed it seems to be a dropped feauture in SSL. According to my log file, the NAS Server I have uses vsftd. The solution given in the previous thread, implies to modify the configuration from the ftp server; however, I can't do it because it is a built-in server.

I will write Seagate about the problem.

Thanks
Josef


Just for the interested, this is the log file from FileZilla:

2012-06-28 08:50:49 8556 3 Status: Resolving address of xxxxxxxxxxxxxxxx
2012-06-28 08:50:49 8556 3 Status: Connecting to xxx.xxx.xxx.xxx:21...
2012-06-28 08:50:49 8556 3 Status: Connection established, waiting for welcome message...
2012-06-28 08:50:49 8556 3 Trace: CFtpControlSocket::OnReceive()
2012-06-28 08:50:49 8556 3 Response: 220 vsFTPd 2.0.7+ (ext.1) ready...
2012-06-28 08:50:49 8556 3 Trace: CFtpControlSocket::SendNextCommand()
2012-06-28 08:50:49 8556 3 Command: AUTH TLS
2012-06-28 08:50:49 8556 3 Trace: CFtpControlSocket::OnReceive()
2012-06-28 08:50:49 8556 3 Response: 234 Proceed with negotiation.
2012-06-28 08:50:49 8556 3 Status: Initializing TLS...
2012-06-28 08:50:49 8556 3 Trace: CTlsSocket::Handshake()
2012-06-28 08:50:49 8556 3 Trace: CTlsSocket::ContinueHandshake()
2012-06-28 08:50:49 8556 3 Trace: CTlsSocket::OnSend()
2012-06-28 08:50:49 8556 3 Trace: CTlsSocket::OnRead()
2012-06-28 08:50:49 8556 3 Trace: CTlsSocket::ContinueHandshake()
2012-06-28 08:50:49 8556 3 Trace: CTlsSocket::OnRead()
2012-06-28 08:50:49 8556 3 Trace: CTlsSocket::ContinueHandshake()
2012-06-28 08:50:49 8556 3 Trace: CTlsSocket::Failure(-12, 10053)
2012-06-28 08:50:49 8556 3 Trace: GnuTLS alert 40: Handshake failed
2012-06-28 08:50:49 8556 3 Error: GnuTLS error -12: A TLS fatal alert has been received.
2012-06-28 08:50:49 8556 3 Trace: CRealControlSocket::OnClose(10053)
2012-06-28 08:50:49 8556 3 Trace: CControlSocket::DoClose(64)
2012-06-28 08:50:49 8556 3 Trace: CFtpControlSocket::ResetOperation(66)
2012-06-28 08:50:49 8556 3 Trace: CControlSocket::ResetOperation(66)
2012-06-28 08:50:49 8556 3 Error: Could not connect to server
2012-06-28 08:50:49 8556 3 Trace: CFileZillaEnginePrivate::ResetOperation(66)

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,454
Location:
Prague, Czechia

Re: SSL3 alert write: fatal: protocol version with winscp 4.3.8

Can I have a test account on either of the servers?

If not, can anyone of you send me an email, so I can send you back a debug version of WinSCP to track the problem? Please include link back to this topic in your email. Also note in this topic that you have sent the email. Thanks.

You will find my address (if you log in) in my forum profile.

Reply with quote

jmeile
Joined:
Posts:
2

Re: SSL3 alert write: fatal: protocol version with winscp 4.3.8

dear prikryl

I already sent you an account. As I told you on my mail, I got a firmware update from Seagate, but it didn't solved the problem.

In my mail I told you that it was also present in Filezilla; howerver, after the firmware update, it works now with Filezilla 3.5.3, so, now the problem is only with winscp.

Best regards
Josef

Reply with quote

jmeile
Joined:
Posts:
2

Re: SSL3 alert write: fatal: protocol version with winscp 4.3.8

If you are interested, here is the log from Filezilla

14:43:51   Status:   Resolving address of xxxxx
14:43:51   Status:   Connecting to xxx.xxx.xxx.xxx:21...
14:43:51   Status:   Connection established, waiting for welcome message...
14:43:51   Trace:   CFtpControlSocket::OnReceive()
14:43:51   Response:   220 vsFTPd 2.0.7+ (ext.1) ready...
14:43:51   Trace:   CFtpControlSocket::SendNextCommand()
14:43:51   Command:   AUTH TLS
14:43:51   Trace:   CFtpControlSocket::OnReceive()
14:43:51   Response:   234 Proceed with negotiation.
14:43:51   Status:   Initializing TLS...
14:43:51   Trace:   CTlsSocket::Handshake()
14:43:51   Trace:   CTlsSocket::ContinueHandshake()
14:43:51   Trace:   CTlsSocket::OnSend()
14:43:51   Trace:   CTlsSocket::OnRead()
14:43:51   Trace:   CTlsSocket::ContinueHandshake()
14:43:51   Trace:   CTlsSocket::OnRead()
14:43:51   Trace:   CTlsSocket::ContinueHandshake()
14:43:51   Trace:   CTlsSocket::OnRead()
14:43:51   Trace:   CTlsSocket::ContinueHandshake()
14:43:51   Trace:   TLS Handshake successful
14:43:51   Trace:   Cipher: AES-128-CBC, MAC: SHA1
14:43:51   Status:   Verifying certificate...
14:43:51   Trace:   CFtpControlSocket::SendNextCommand()
14:43:51   Command:   USER xxx
14:43:51   Status:   TLS/SSL connection established.
14:43:51   Trace:   CTlsSocket::OnRead()
14:43:51   Trace:   CFtpControlSocket::OnReceive()
14:43:51   Response:   331 Please specify the password.
14:43:51   Trace:   CFtpControlSocket::SendNextCommand()
14:43:51   Command:   PASS *********
14:43:51   Trace:   CTlsSocket::OnRead()
14:43:51   Trace:   CFtpControlSocket::OnReceive()
14:43:51   Response:   230 Login successful.
14:43:51   Trace:   CFtpControlSocket::SendNextCommand()
14:43:51   Command:   OPTS UTF8 ON
14:43:51   Trace:   CTlsSocket::OnRead()
14:43:51   Trace:   CFtpControlSocket::OnReceive()
14:43:51   Response:   200 UTF8 option is On.
14:43:51   Trace:   CFtpControlSocket::SendNextCommand()
14:43:51   Command:   PBSZ 0
14:43:51   Trace:   CTlsSocket::OnRead()
14:43:51   Trace:   CFtpControlSocket::OnReceive()
14:43:51   Response:   200 PBSZ set to 0.
14:43:51   Trace:   CFtpControlSocket::SendNextCommand()
14:43:51   Command:   PROT P
14:43:51   Trace:   CTlsSocket::OnRead()
14:43:51   Trace:   CFtpControlSocket::OnReceive()
14:43:51   Response:   200 PROT now Private.
14:43:51   Status:   Connected
14:43:51   Trace:   CFtpControlSocket::ResetOperation(0)
14:43:51   Trace:   CControlSocket::ResetOperation(0)
14:43:51   Trace:   CFileZillaEnginePrivate::ResetOperation(0)
14:43:51   Status:   Retrieving directory listing...
14:43:51   Trace:   CFtpControlSocket::SendNextCommand()
14:43:51   Trace:   CFtpControlSocket::ChangeDirSend()
14:43:51   Command:   PWD
14:43:51   Trace:   CTlsSocket::OnRead()
14:43:51   Trace:   CFtpControlSocket::OnReceive()
14:43:51   Response:   257 "/"
14:43:51   Trace:   CFtpControlSocket::ResetOperation(0)
14:43:51   Trace:   CControlSocket::ResetOperation(0)
14:43:51   Trace:   CFtpControlSocket::ParseSubcommandResult(0)
14:43:51   Trace:   CFtpControlSocket::ListSubcommandResult()
14:43:51   Trace:     state = 1
14:43:51   Trace:   CFtpControlSocket::ResetOperation(0)
14:43:51   Trace:   CControlSocket::ResetOperation(0)
14:43:51   Status:   Directory listing successful
14:43:51   Trace:   CFileZillaEnginePrivate::ResetOperation(0)

And this is from winscp

. 2012-06-29 14:51:29.595 --------------------------------------------------------------------------
. 2012-06-29 14:51:29.595 WinSCP Version 4.3.8 (Build 1771) (OS 6.1.7601 Service Pack 1)
. 2012-06-29 14:51:29.595 Configuration: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\
. 2012-06-29 14:51:29.595 Local account: xxx\xxx
. 2012-06-29 14:51:29.596 Login time: Freitag, 29. Juni 2012 14:51:29
. 2012-06-29 14:51:29.596 --------------------------------------------------------------------------
. 2012-06-29 14:51:29.596 Session name: xxx@xxx.xxx.xxx (Modified stored session)
. 2012-06-29 14:51:29.596 Host name: xxx.xxx.xxx (Port: 21)
. 2012-06-29 14:51:29.596 User name: xxx (Password: Yes, Key file: No)
. 2012-06-29 14:51:29.596 Tunnel: No
. 2012-06-29 14:51:29.596 Transfer Protocol: FTP
. 2012-06-29 14:51:29.596 Ping type: C, Ping interval: 30 sec; Timeout: 15 sec
. 2012-06-29 14:51:29.596 Proxy: none
. 2012-06-29 14:51:29.596 FTP: FTPS: Explicit SSL; Passive: No [Force IP: No]
. 2012-06-29 14:51:29.596 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2012-06-29 14:51:29.596 Cache directory changes: Yes, Permanent: Yes
. 2012-06-29 14:51:29.596 DST mode: 1
. 2012-06-29 14:51:29.596 --------------------------------------------------------------------------
. 2012-06-29 14:51:29.625 Connecting to xxx.xxx.xxx ...
. 2012-06-29 14:51:29.625 m_pSslLayer changed state from 0 to 1
. 2012-06-29 14:51:29.625 m_pSslLayer changed state from 1 to 2
. 2012-06-29 14:51:29.625 m_pSslLayer changed state from 2 to 4
. 2012-06-29 14:51:29.629 Connected with xxx.xxx.xxx, negotiating SSL connection...
< 2012-06-29 14:51:29.629 220 vsFTPd 2.0.7+ (ext.1) ready...
> 2012-06-29 14:51:29.629 AUTH SSL
< 2012-06-29 14:51:29.629 234 Proceed with negotiation.
. 2012-06-29 14:51:29.629 SSL_connect: SSLv3 read server hello A
. 2012-06-29 14:51:29.629 SSL_connect: SSLv3 read server certificate A
. 2012-06-29 14:51:29.629 SSL_connect: SSLv3 read server certificate request A
. 2012-06-29 14:51:29.629 SSL_connect: SSLv3 read server done A
. 2012-06-29 14:51:29.630 SSL_connect: SSLv3 write client certificate A
. 2012-06-29 14:51:29.630 SSL_connect: SSLv3 write client key exchange A
. 2012-06-29 14:51:29.630 SSL_connect: SSLv3 write change cipher spec A
. 2012-06-29 14:51:29.630 SSL_connect: SSLv3 write finished A
. 2012-06-29 14:51:29.630 SSL_connect: SSLv3 flush data
. 2012-06-29 14:51:29.655 SSL_connect: SSLv3 read finished A
. 2012-06-29 14:51:29.656 Using TLSv1, cipher TLSv1/SSLv3: AES256-SHA, 1024 bit RSA
. 2012-06-29 14:51:29.658 SSL connection established. Waiting for welcome message...
> 2012-06-29 14:51:29.658 USER xxx
< 2012-06-29 14:51:29.658 331 Please specify the password.
> 2012-06-29 14:51:29.658 PASS *********
< 2012-06-29 14:51:29.669 230 Login successful.
> 2012-06-29 14:51:29.669 SYST
< 2012-06-29 14:51:29.670 215 UNIX Type: L8
> 2012-06-29 14:51:29.670 FEAT
< 2012-06-29 14:51:29.671 211-Features:
< 2012-06-29 14:51:29.671  AUTH SSL
< 2012-06-29 14:51:29.671  AUTH TLS
< 2012-06-29 14:51:29.672  EPRT
< 2012-06-29 14:51:29.672  MDTM
< 2012-06-29 14:51:29.672  UTF8
< 2012-06-29 14:51:29.672  PBSZ
< 2012-06-29 14:51:29.673  PROT
< 2012-06-29 14:51:29.673  REST STREAM
< 2012-06-29 14:51:29.673  SIZE
< 2012-06-29 14:51:29.673  TVFS
< 2012-06-29 14:51:29.674 211 End
> 2012-06-29 14:51:29.674 OPTS UTF8 ON
< 2012-06-29 14:51:29.675 200 UTF8 option is On.
> 2012-06-29 14:51:29.676 PBSZ 0
< 2012-06-29 14:51:29.677 200 PBSZ set to 0.
> 2012-06-29 14:51:29.677 PROT P
< 2012-06-29 14:51:29.678 200 PROT now Private.
. 2012-06-29 14:51:29.685 Connected
. 2012-06-29 14:51:29.685 Got reply 1 to the command 1
. 2012-06-29 14:51:29.685 --------------------------------------------------------------------------
. 2012-06-29 14:51:29.685 Using FTP protocol.
. 2012-06-29 14:51:29.685 Doing startup conversation with host.
> 2012-06-29 14:51:29.693 PWD
< 2012-06-29 14:51:29.694 257 "/"
. 2012-06-29 14:51:29.694 Got reply 1 to the command 16
. 2012-06-29 14:51:29.702 Getting current directory name.
. 2012-06-29 14:51:29.710 Retrieving directory listing...
> 2012-06-29 14:51:29.711 TYPE A
< 2012-06-29 14:51:29.711 200 Switching to ASCII mode.
> 2012-06-29 14:51:29.711 PORT 129,132,30,102,208,192
< 2012-06-29 14:51:29.711 200 PORT command successful. Consider using PASV.
> 2012-06-29 14:51:29.711 LIST -a
. 2012-06-29 14:51:29.711 m_pSslLayer changed state from 0 to 7
< 2012-06-29 14:51:29.711 150 Here comes the directory listing.
. 2012-06-29 14:51:29.711 m_pSslLayer changed state from 7 to 4
. 2012-06-29 14:51:29.748 SSL connection established
. 2012-06-29 14:51:29.945 drwxrwxr-x    2 ftp      ftp          4096 Jun 29 14:43 xxx
< 2012-06-29 14:51:29.947 226 Directory send OK.
. 2012-06-29 14:51:29.958 Directory listing successful
. 2012-06-29 14:51:29.958 Got reply 1 to the command 2
. 2012-06-29 14:51:29.958 Startup conversation with host finished.
. 2012-06-29 14:51:30.006 Session upkeep
. 2012-06-29 14:51:30.219 Session upkeep
. 2012-06-29 14:51:30.732 Session upkeep
. 2012-06-29 14:51:31.232 Session upkeep
. 2012-06-29 14:51:31.746 Session upkeep
. 2012-06-29 14:51:31.972 Cached directory change via "winscp" to "/xxx".
. 2012-06-29 14:51:31.972 Getting current directory name.
. 2012-06-29 14:51:31.972 Retrieving directory listing...
> 2012-06-29 14:51:31.972 CWD /xxx/
< 2012-06-29 14:51:31.974 250 Directory successfully changed.
> 2012-06-29 14:51:31.974 PWD
< 2012-06-29 14:51:31.976 257 "/xxx"
> 2012-06-29 14:51:31.976 TYPE A
< 2012-06-29 14:51:31.977 200 Switching to ASCII mode.
> 2012-06-29 14:51:31.978 PORT 129,132,30,102,208,193
< 2012-06-29 14:51:31.980 200 PORT command successful. Consider using PASV.
> 2012-06-29 14:51:31.980 LIST -a
. 2012-06-29 14:51:31.983 m_pSslLayer changed state from 0 to 7
. 2012-06-29 14:51:31.983 m_pSslLayer changed state from 7 to 4
< 2012-06-29 14:51:31.983 150 Here comes the directory listing.
. 2012-06-29 14:51:31.998 SSL3 alert write: fatal: protocol version
. 2012-06-29 14:51:31.998 Disconnected from server
. 2012-06-29 14:51:31.999 Could not retrieve directory listing
. 2012-06-29 14:51:31.999 Got reply 1004 to the command 2
* 2012-06-29 14:51:32.007 (ESshFatal) Lost connection.
* 2012-06-29 14:51:32.007 SSL3 alert write: fatal: protocol version
* 2012-06-29 14:51:32.007 Disconnected from server
* 2012-06-29 14:51:32.007 Could not retrieve directory listing
* 2012-06-29 14:51:32.007 Here comes the directory listing.
* 2012-06-29 14:51:32.007 Error listing directory '/xxx'.
* 2012-06-29 14:51:32.007 Error changing directory to 'xxx'.

Reply with quote

Advertisement

clalley
Guest

When will 4.3.9 be released?

I need the fix for the SSL3 alert write: fatal: protocol version. can you tell me when 4.3.9 will be released?

Reply with quote

martin
Site Admin
martin avatar

Re: When will 4.3.9 be released?

clalley wrote:

I need the fix for the SSL3 alert write: fatal: protocol version. can you tell me when 4.3.9 will be released?
We hope that in very few days.

Reply with quote

RolandK
Guest

Hello,

i still cannot use FTP with SSL with vsftpd.

I`m using SLES11sp2 , which comes with vsftpd 2.0.7

i get SSL3 alert write: fatal: protocol version on the client side (4.3.9. and newer) and this error on the server side:

Thu Aug 2 12:22:07 2012 [pid 15553] CONNECT: Client "1.2.3.4"
Thu Aug 2 12:22:07 2012 [pid 15553] DEBUG: Client "1.2.3.4", "SSL version: TLSv1/SSLv3, SSL cipher: AES256-SHA, not reused, no cert"
Thu Aug 2 12:22:07 2012 [pid 15552] [root] OK LOGIN: Client "1.2.3.4"
Thu Aug 2 12:22:07 2012 [pid 15554] [root] DEBUG: Client "1.2.3.4", "SSL_accept failed: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized"


i don`t find a more recent package of vsftpd for SLES11 and building vsftpd 3.0.0 from source doesn`t work either.
I also had connection-problems with filezilla, but this could be workarounded with ssl_ciphers=HIGH in vsftpd.conf

I`m out of ideas.

any clues?

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,454
Location:
Prague, Czechia

RolandK wrote:

i get SSL3 alert write: fatal: protocol version on the client side (4.3.9. and newer) and this error on the server side:

Thu Aug 2 12:22:07 2012 [pid 15553] CONNECT: Client "1.2.3.4"
Thu Aug 2 12:22:07 2012 [pid 15553] DEBUG: Client "1.2.3.4", "SSL version: TLSv1/SSLv3, SSL cipher: AES256-SHA, not reused, no cert"
Thu Aug 2 12:22:07 2012 [pid 15552] [root] OK LOGIN: Client "1.2.3.4"
Thu Aug 2 12:22:07 2012 [pid 15554] [root] DEBUG: Client "1.2.3.4", "SSL_accept failed: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized"
Can you send me an email, so I can send you back a debug version of WinSCP to track the problem? Please include link back to this topic in your email. Also note in this topic that you have sent the email. Thanks.

You will find my address (if you log in) in my forum profile.

Reply with quote

Advertisement

You can post new topics in this forum