WinSCP - SSL3 alert write: fatal: protocol version

Advertisement

senramesh
Guest

WinSCP - SSL3 alert write: fatal: protocol version

I have a RHEL based VSFTPD server running FTPS. I was using the WinSCP for connecting to the server with "TLS Explicit" and "Force IP Addr Pasv mode". Suddenly WinSCP started throwing error from last two months. Not sure VSFTPD or Openssl or WinSCP issue.

Please! Please!! Help me.



WinSCP UI error

SSL3 alert write: fatal: protocol version
Disconnected from server
Could not retrieve directory listing
Switching to ASCII mode.
Error listing directory '/'.



My VSFTPD configuration as follows

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
log_ftp_protocol=YES
require_ssl_reuse=NO
pasv_promiscuous=YES
pasv_min_port=40000
pasv_max_port=40010
ssl_ciphers=HIGH

debug_ssl=YES
vsftpd_log_file=/var/log/vsftpd.log
dual_log_enable=YES
anonymous_enable=no
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_file=/var/log/xferlog
xferlog_std_format=YES
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES



WinSCP Dubug2 Log shows like this

. 2013-03-13 13:17:08.377 --------------------------------------------------------------------------
. 2013-03-13 13:17:08.377 WinSCP Version 5.1.4 (Build 3020) (OS 6.1.7601 Service Pack 1)
. 2013-03-13 13:17:08.377 Configuration: C:\testuser\tools\winscp514\WinSCP.ini
. 2013-03-13 13:17:08.377 Local account: skanda\testuseree
. 2013-03-13 13:17:08.377 Working directory: C:\testuser\tools\winscp514
. 2013-03-13 13:17:08.377 Command-line: "C:\testuser\tools\winscp514\WinSCP.exe" 
. 2013-03-13 13:17:08.377 Time zone: Current: GMT+4, Standard: GMT+4, DST: GMT+5, DST Start: 30/12/1899, DST End: 30/12/1899
. 2013-03-13 13:17:08.377 Login time: Wednesday, March 13, 2013 1:17:08 PM
. 2013-03-13 13:17:08.377 --------------------------------------------------------------------------
. 2013-03-13 13:17:08.377 Session name: myftpuser@xx.xx.xx.xx (Stored session)
. 2013-03-13 13:17:08.377 Host name: xx.xx.xx.xx (Port: 21)
. 2013-03-13 13:17:08.377 User name: myftpuser (Password: Yes, Key file: No)
. 2013-03-13 13:17:08.377 Tunnel: No
. 2013-03-13 13:17:08.377 Transfer Protocol: FTP
. 2013-03-13 13:17:08.377 Ping type: C, Ping interval: 30 sec; Timeout: 30 sec
. 2013-03-13 13:17:08.377 Proxy: none
. 2013-03-13 13:17:08.377 FTP: FTPS: Explicit TLS; Passive: Yes [Force IP: +]
. 2013-03-13 13:17:08.377 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2013-03-13 13:17:08.377 Cache directory changes: Yes, Permanent: Yes
. 2013-03-13 13:17:08.377 DST mode: 1; Timezone offset: 4h 0m
. 2013-03-13 13:17:08.377 --------------------------------------------------------------------------
. 2013-03-13 13:17:08.377 Session upkeep
. 2013-03-13 13:17:08.471 Connecting to xx.xx.xx.xx ...
. 2013-03-13 13:17:08.471 m_pSslLayer changed state from 0 to 1
. 2013-03-13 13:17:08.471 m_pSslLayer changed state from 1 to 2
. 2013-03-13 13:17:08.471 m_pSslLayer changed state from 2 to 4
. 2013-03-13 13:17:08.533 Connected with xx.xx.xx.xx, negotiating SSL connection...
< 2013-03-13 13:17:08.533 220 (vsFTPd 2.2.2)
> 2013-03-13 13:17:08.533 AUTH TLS
< 2013-03-13 13:17:08.533 234 Proceed with negotiation.
. 2013-03-13 13:17:09.157 SSL_connect: SSLv3 read server hello A
. 2013-03-13 13:17:09.157 SSL_connect: SSLv3 read server certificate A
. 2013-03-13 13:17:09.157 SSL_connect: SSLv3 read server certificate request A
. 2013-03-13 13:17:09.157 SSL_connect: SSLv3 read server done A
. 2013-03-13 13:17:09.157 SSL_connect: SSLv3 write client certificate A
. 2013-03-13 13:17:09.157 SSL_connect: SSLv3 write client key exchange A
. 2013-03-13 13:17:09.157 SSL_connect: SSLv3 write change cipher spec A
. 2013-03-13 13:17:09.157 SSL_connect: SSLv3 write finished A
. 2013-03-13 13:17:09.157 SSL_connect: SSLv3 flush data
. 2013-03-13 13:17:09.188 SSL_connect: SSLv3 read server session ticket A
. 2013-03-13 13:17:09.188 SSL_connect: SSLv3 read finished A
. 2013-03-13 13:17:09.188 Using TLSv1, cipher TLSv1/SSLv3: AES256-SHA, 1024 bit RSA
. 2013-03-13 13:17:09.220 SSL connection established. Waiting for welcome message...
> 2013-03-13 13:17:09.220 USER myftpuser
< 2013-03-13 13:17:09.220 331 Please specify the password.
> 2013-03-13 13:17:09.220 PASS *********
< 2013-03-13 13:17:09.298 230 Login successful.
> 2013-03-13 13:17:09.298 SYST
< 2013-03-13 13:17:09.329 215 UNIX Type: L8
> 2013-03-13 13:17:09.329 FEAT
< 2013-03-13 13:17:09.360 211-Features:
< 2013-03-13 13:17:09.360  AUTH SSL
< 2013-03-13 13:17:09.360  AUTH TLS
< 2013-03-13 13:17:09.391  EPRT
< 2013-03-13 13:17:09.391  EPSV
< 2013-03-13 13:17:09.391  MDTM
< 2013-03-13 13:17:09.391  PASV
< 2013-03-13 13:17:09.391  PBSZ
< 2013-03-13 13:17:09.391  PROT
< 2013-03-13 13:17:09.391  REST STREAM
< 2013-03-13 13:17:09.391  SIZE
< 2013-03-13 13:17:09.391  TVFS
< 2013-03-13 13:17:09.391  UTF8
< 2013-03-13 13:17:09.391 211 End
> 2013-03-13 13:17:09.391 OPTS UTF8 ON
< 2013-03-13 13:17:09.422 200 Always in UTF8 mode.
> 2013-03-13 13:17:09.422 PBSZ 0
< 2013-03-13 13:17:09.454 200 PBSZ set to 0.
> 2013-03-13 13:17:09.454 PROT P
< 2013-03-13 13:17:09.469 200 PROT now Private.
. 2013-03-13 13:17:09.532 Connected
. 2013-03-13 13:17:09.532 Got reply 1 to the command 1
. 2013-03-13 13:17:09.532 --------------------------------------------------------------------------
. 2013-03-13 13:17:09.532 Using FTP protocol.
. 2013-03-13 13:17:09.532 Doing startup conversation with host.
> 2013-03-13 13:17:09.594 PWD
< 2013-03-13 13:17:09.610 257 "/"
. 2013-03-13 13:17:09.610 Got reply 1 to the command 16
. 2013-03-13 13:17:09.656 Getting current directory name.
. 2013-03-13 13:17:09.844 Retrieving directory listing...
> 2013-03-13 13:17:09.844 TYPE A
< 2013-03-13 13:17:09.844 200 Switching to ASCII mode.
> 2013-03-13 13:17:09.844 PASV
. 2013-03-13 13:17:09.844 SSL3 alert write: fatal: protocol version
. 2013-03-13 13:17:09.844 Disconnected from server
. 2013-03-13 13:17:09.844 Could not retrieve directory listing
. 2013-03-13 13:17:09.844 Got reply 1004 to the command 2
. 2013-03-13 13:17:09.968 Connecting to xx.xx.xx.xx ...
. 2013-03-13 13:17:09.968 m_pSslLayer changed state from 0 to 1
. 2013-03-13 13:17:09.968 m_pSslLayer changed state from 1 to 2
. 2013-03-13 13:17:09.968 m_pSslLayer changed state from 2 to 4
. 2013-03-13 13:17:10.031 Connected with xx.xx.xx.xx, negotiating SSL connection...
< 2013-03-13 13:17:10.031 220 (vsFTPd 2.2.2)
> 2013-03-13 13:17:10.031 AUTH TLS
< 2013-03-13 13:17:10.031 234 Proceed with negotiation.
. 2013-03-13 13:17:10.031 SSL_connect: SSLv3 read server hello A
. 2013-03-13 13:17:10.031 SSL_connect: SSLv3 read server certificate A
. 2013-03-13 13:17:10.031 SSL_connect: SSLv3 read server certificate request A
. 2013-03-13 13:17:10.031 SSL_connect: SSLv3 read server done A
. 2013-03-13 13:17:10.031 SSL_connect: SSLv3 write client certificate A
. 2013-03-13 13:17:10.031 SSL_connect: SSLv3 write client key exchange A
. 2013-03-13 13:17:10.031 SSL_connect: SSLv3 write change cipher spec A
. 2013-03-13 13:17:10.031 SSL_connect: SSLv3 write finished A
. 2013-03-13 13:17:10.031 SSL_connect: SSLv3 flush data
. 2013-03-13 13:17:10.046 SSL_connect: SSLv3 read server session ticket A
. 2013-03-13 13:17:10.046 SSL_connect: SSLv3 read finished A
. 2013-03-13 13:17:10.046 Using TLSv1, cipher TLSv1/SSLv3: AES256-SHA, 1024 bit RSA
. 2013-03-13 13:17:10.093 SSL connection established. Waiting for welcome message...
> 2013-03-13 13:17:10.093 USER myftpuser
< 2013-03-13 13:17:10.093 331 Please specify the password.
> 2013-03-13 13:17:10.093 PASS *********
< 2013-03-13 13:17:10.171 230 Login successful.
> 2013-03-13 13:17:10.171 SYST
< 2013-03-13 13:17:10.218 215 UNIX Type: L8
> 2013-03-13 13:17:10.218 FEAT
< 2013-03-13 13:17:10.249 211-Features:
< 2013-03-13 13:17:10.249  AUTH SSL
< 2013-03-13 13:17:10.249  AUTH TLS
< 2013-03-13 13:17:10.249  EPRT
< 2013-03-13 13:17:10.249  EPSV
< 2013-03-13 13:17:10.265  MDTM
< 2013-03-13 13:17:10.265  PASV
< 2013-03-13 13:17:10.265  PBSZ
< 2013-03-13 13:17:10.265  PROT
< 2013-03-13 13:17:10.265  REST STREAM
< 2013-03-13 13:17:10.265  SIZE
< 2013-03-13 13:17:10.265  TVFS
< 2013-03-13 13:17:10.280  UTF8
< 2013-03-13 13:17:10.280 211 End
> 2013-03-13 13:17:10.280 OPTS UTF8 ON
< 2013-03-13 13:17:10.296 200 Always in UTF8 mode.
> 2013-03-13 13:17:10.296 PBSZ 0
< 2013-03-13 13:17:10.327 200 PBSZ set to 0.
> 2013-03-13 13:17:10.327 PROT P
< 2013-03-13 13:17:10.358 200 PROT now Private.
. 2013-03-13 13:17:10.405 Connected
. 2013-03-13 13:17:10.405 Got reply 1 to the command 1
. 2013-03-13 13:17:10.405 Doing startup conversation with host.
> 2013-03-13 13:17:10.468 PWD
< 2013-03-13 13:17:10.499 257 "/"
. 2013-03-13 13:17:10.499 Got reply 1 to the command 16
. 2013-03-13 13:17:10.530 Changing directory to "/".
> 2013-03-13 13:17:10.530 CWD /
< 2013-03-13 13:17:10.561 250 Directory successfully changed.
. 2013-03-13 13:17:10.561 Got reply 1 to the command 16
. 2013-03-13 13:17:10.561 Getting current directory name.
> 2013-03-13 13:17:10.561 PWD
< 2013-03-13 13:17:10.592 257 "/"
. 2013-03-13 13:17:10.592 Got reply 1 to the command 16
. 2013-03-13 13:17:10.655 Startup conversation with host finished.
. 2013-03-13 13:17:10.873 Retrieving directory listing...
> 2013-03-13 13:17:10.873 TYPE A
< 2013-03-13 13:17:10.873 200 Switching to ASCII mode.
> 2013-03-13 13:17:10.873 PASV
. 2013-03-13 13:17:10.873 SSL3 alert write: fatal: protocol version
. 2013-03-13 13:17:10.873 Disconnected from server
. 2013-03-13 13:17:10.873 Could not retrieve directory listing
. 2013-03-13 13:17:10.873 Got reply 1004 to the command 2
* 2013-03-13 13:17:11.092 (EFatal) Lost connection.
* 2013-03-13 13:17:11.092 SSL3 alert write: fatal: protocol version
* 2013-03-13 13:17:11.092 Disconnected from server
* 2013-03-13 13:17:11.092 Could not retrieve directory listing
* 2013-03-13 13:17:11.092 Switching to ASCII mode.
* 2013-03-13 13:17:11.092 Error listing directory '/'.



Openssl connect on RHEL-VSFTPD server

[root@MY_SERVER vsftpd]# openssl s_client -connect xx.xx.xx.xx:21 -state -debug -tls1 -msg
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x959b9b0 [0x95e104b] (113 bytes => 113 (0x71))
0000 - 16 03 01 00 6c 01 00 00-68 03 01 51 40 7e b4 0a   ....l...h..Q@~..
0010 - d5 df 03 3d 9d f7 de b2-a4 43 36 8c 18 af 3d 25   ...=.....C6...=%
0020 - 22 93 e2 70 a5 8f 02 65-6f 23 a1 00 00 3a 00 39   "..p...eo#...:.9
0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a   .8.....5........
0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96   .3.2.....E.D./..
0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11   .A..............
0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23      ..............#
0071 - <SPACES/NULS>
>>> TLS 1.0 Handshake [length 006c], ClientHello
    01 00 00 68 03 01 51 40 7e b4 0a d5 df 03 3d 9d
    f7 de b2 a4 43 36 8c 18 af 3d 25 22 93 e2 70 a5
    8f 02 65 6f 23 a1 00 00 3a 00 39 00 38 00 88 00
    87 00 35 00 84 00 16 00 13 00 0a 00 33 00 32 00
    9a 00 99 00 45 00 44 00 2f 00 96 00 41 00 05 00
    04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00
    03 00 ff 02 01 00 00 04 00 23 00 00
SSL_connect:SSLv3 write client hello A
read from 0x959b9b0 [0x95dcafb] (5 bytes => 5 (0x5))
0000 - 32 32 30 20 28                                    220 (
write to 0x959b9b0 [0x95e6508] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 46                              ......F
>>> TLS 1.0 Alert [length 0002], fatal protocol_version
    02 46
SSL3 alert write:fatal:protocol version
SSL_connect:error in SSLv3 read server hello A
3079272172:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:338:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1363181236
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
40,476
Location:
Prague, Czechia

Re: WinSCP - SSL3 alert write: fatal: protocol version

Was it really "sudden" or did you change anything? WinSCP upgrade? VSFTPD upgrade?

Reply with quote

senramesh
Guest

RESOLVED - Issue was because of the stale processess

RESOLVED - Issue was because of the stale processess

Thank you much for the reply, but managed to fix it. But the Google search lead me to the wrong way. The issue was on the Linux front. I noticed that the even after stopping or restarting the VSFTP daemon the VSFTPD related processes are not completely stopped. Few process are still alive, those process locked the PASSIVE connection ports 40000-40010. VSFTPD also didn't complained saying that the ports are in use and cannot be allocated. Because of the stale processes, after the PASV command...it gets disconnected abruptly. Please see the transcript.


[root@AMK-MDC-FTP vsftpd]# ls-/etinc/init.d/vsftpd stop
Shutting down vsftpd: [  OK  ]

[root@MY_SERVER vsftpd]# netstat -anp | grpe ep vsftp
tcp        0      0 xx.xx.xx.xx:40000           0.0.0.0:*                   LISTEN      20538/vsftpd        
tcp        0      0 xx.xx.xx.xx:40001           0.0.0.0:*                   LISTEN      20442/vsftpd        
tcp        0      0 xx.xx.xx.xx:40002           0.0.0.0:*                   LISTEN      20438/vsftpd        
tcp        0      0 xx.xx.xx.xx:40003           0.0.0.0:*                   LISTEN      20606/vsftpd        
tcp        0      0 xx.xx.xx.xx:40004           0.0.0.0:*                   LISTEN      20587/vsftpd     <== Process failing to stop
tcp        0      0 xx.xx.xx.xx:40005           0.0.0.0:*                   LISTEN      20435/vsftpd        
tcp        0      0 xx.xx.xx.xx:40006           0.0.0.0:*                   LISTEN      20546/vsftpd        
tcp        0      0 xx.xx.xx.xx:40007           0.0.0.0:*                   LISTEN      20432/vsftpd        
tcp        0      0 xx.xx.xx.xx:40008           0.0.0.0:*                   LISTEN      20696/vsftpd        
tcp        0      0 xx.xx.xx.xx:40009           0.0.0.0:*                   LISTEN      20693/vsftpd        
tcp        0      0 xx.xx.xx.xx:40010           0.0.0.0:*                   LISTEN      20600/vsftpd        

[root@MY_SERVER vsftpd]# ps -ef } g| grep vsftp
root      8643  3262  0 11:59 pts/1    00:00:00 grep vsftp
nobody   20432     1  0  2012 ?        00:00:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
nobody   20433 20432  0  2012 ?        00:00:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf

[ TRUNCATED O/P FOR VISIBILITY ]

nobody   20696     1  0  2012 ?        00:00:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
nobody   20697 20696  0  2012 ?        00:00:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
upldusr  20698 20696  0  2012 ?        00:00:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf


[root@MY_SERVER vsftpd]# ps -ef | grep vsftpd | awk '{print $2}' | xargs kill -9

[root@MY_SERVER vsftpd]# /etc/init.d/vsftpd start
Starting vsftpd for vsftpd: [  OK  ]


Then all started working fine. May be helpful to some ppl, if they face similar issues.

Reply with quote

Advertisement

You can post new topics in this forum