WinSCP - SSL3 alert write: fatal: protocol version
I have a RHEL based VSFTPD server running FTPS. I was using the WinSCP for connecting to the server with "TLS Explicit" and "Force IP Addr Pasv mode". Suddenly WinSCP started throwing error from last two months. Not sure VSFTPD or Openssl or WinSCP issue.
Please! Please!! Help me.
Please! Please!! Help me.
WinSCP UI error
SSL3 alert write: fatal: protocol version Disconnected from server Could not retrieve directory listing Switching to ASCII mode. Error listing directory '/'.
My VSFTPD configuration as follows
ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/vsftpd/vsftpd.pem log_ftp_protocol=YES require_ssl_reuse=NO pasv_promiscuous=YES pasv_min_port=40000 pasv_max_port=40010 ssl_ciphers=HIGH debug_ssl=YES vsftpd_log_file=/var/log/vsftpd.log dual_log_enable=YES anonymous_enable=no local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES xferlog_file=/var/log/xferlog xferlog_std_format=YES chroot_local_user=YES listen=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES
WinSCP Dubug2 Log shows like this
. 2013-03-13 13:17:08.377 -------------------------------------------------------------------------- . 2013-03-13 13:17:08.377 WinSCP Version 5.1.4 (Build 3020) (OS 6.1.7601 Service Pack 1) . 2013-03-13 13:17:08.377 Configuration: C:\testuser\tools\winscp514\WinSCP.ini . 2013-03-13 13:17:08.377 Local account: skanda\testuseree . 2013-03-13 13:17:08.377 Working directory: C:\testuser\tools\winscp514 . 2013-03-13 13:17:08.377 Command-line: "C:\testuser\tools\winscp514\WinSCP.exe" . 2013-03-13 13:17:08.377 Time zone: Current: GMT+4, Standard: GMT+4, DST: GMT+5, DST Start: 30/12/1899, DST End: 30/12/1899 . 2013-03-13 13:17:08.377 Login time: Wednesday, March 13, 2013 1:17:08 PM . 2013-03-13 13:17:08.377 -------------------------------------------------------------------------- . 2013-03-13 13:17:08.377 Session name: myftpuser@xx.xx.xx.xx (Stored session) . 2013-03-13 13:17:08.377 Host name: xx.xx.xx.xx (Port: 21) . 2013-03-13 13:17:08.377 User name: myftpuser (Password: Yes, Key file: No) . 2013-03-13 13:17:08.377 Tunnel: No . 2013-03-13 13:17:08.377 Transfer Protocol: FTP . 2013-03-13 13:17:08.377 Ping type: C, Ping interval: 30 sec; Timeout: 30 sec . 2013-03-13 13:17:08.377 Proxy: none . 2013-03-13 13:17:08.377 FTP: FTPS: Explicit TLS; Passive: Yes [Force IP: +] . 2013-03-13 13:17:08.377 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes . 2013-03-13 13:17:08.377 Cache directory changes: Yes, Permanent: Yes . 2013-03-13 13:17:08.377 DST mode: 1; Timezone offset: 4h 0m . 2013-03-13 13:17:08.377 -------------------------------------------------------------------------- . 2013-03-13 13:17:08.377 Session upkeep . 2013-03-13 13:17:08.471 Connecting to xx.xx.xx.xx ... . 2013-03-13 13:17:08.471 m_pSslLayer changed state from 0 to 1 . 2013-03-13 13:17:08.471 m_pSslLayer changed state from 1 to 2 . 2013-03-13 13:17:08.471 m_pSslLayer changed state from 2 to 4 . 2013-03-13 13:17:08.533 Connected with xx.xx.xx.xx, negotiating SSL connection... < 2013-03-13 13:17:08.533 220 (vsFTPd 2.2.2) > 2013-03-13 13:17:08.533 AUTH TLS < 2013-03-13 13:17:08.533 234 Proceed with negotiation. . 2013-03-13 13:17:09.157 SSL_connect: SSLv3 read server hello A . 2013-03-13 13:17:09.157 SSL_connect: SSLv3 read server certificate A . 2013-03-13 13:17:09.157 SSL_connect: SSLv3 read server certificate request A . 2013-03-13 13:17:09.157 SSL_connect: SSLv3 read server done A . 2013-03-13 13:17:09.157 SSL_connect: SSLv3 write client certificate A . 2013-03-13 13:17:09.157 SSL_connect: SSLv3 write client key exchange A . 2013-03-13 13:17:09.157 SSL_connect: SSLv3 write change cipher spec A . 2013-03-13 13:17:09.157 SSL_connect: SSLv3 write finished A . 2013-03-13 13:17:09.157 SSL_connect: SSLv3 flush data . 2013-03-13 13:17:09.188 SSL_connect: SSLv3 read server session ticket A . 2013-03-13 13:17:09.188 SSL_connect: SSLv3 read finished A . 2013-03-13 13:17:09.188 Using TLSv1, cipher TLSv1/SSLv3: AES256-SHA, 1024 bit RSA . 2013-03-13 13:17:09.220 SSL connection established. Waiting for welcome message... > 2013-03-13 13:17:09.220 USER myftpuser < 2013-03-13 13:17:09.220 331 Please specify the password. > 2013-03-13 13:17:09.220 PASS ********* < 2013-03-13 13:17:09.298 230 Login successful. > 2013-03-13 13:17:09.298 SYST < 2013-03-13 13:17:09.329 215 UNIX Type: L8 > 2013-03-13 13:17:09.329 FEAT < 2013-03-13 13:17:09.360 211-Features: < 2013-03-13 13:17:09.360 AUTH SSL < 2013-03-13 13:17:09.360 AUTH TLS < 2013-03-13 13:17:09.391 EPRT < 2013-03-13 13:17:09.391 EPSV < 2013-03-13 13:17:09.391 MDTM < 2013-03-13 13:17:09.391 PASV < 2013-03-13 13:17:09.391 PBSZ < 2013-03-13 13:17:09.391 PROT < 2013-03-13 13:17:09.391 REST STREAM < 2013-03-13 13:17:09.391 SIZE < 2013-03-13 13:17:09.391 TVFS < 2013-03-13 13:17:09.391 UTF8 < 2013-03-13 13:17:09.391 211 End > 2013-03-13 13:17:09.391 OPTS UTF8 ON < 2013-03-13 13:17:09.422 200 Always in UTF8 mode. > 2013-03-13 13:17:09.422 PBSZ 0 < 2013-03-13 13:17:09.454 200 PBSZ set to 0. > 2013-03-13 13:17:09.454 PROT P < 2013-03-13 13:17:09.469 200 PROT now Private. . 2013-03-13 13:17:09.532 Connected . 2013-03-13 13:17:09.532 Got reply 1 to the command 1 . 2013-03-13 13:17:09.532 -------------------------------------------------------------------------- . 2013-03-13 13:17:09.532 Using FTP protocol. . 2013-03-13 13:17:09.532 Doing startup conversation with host. > 2013-03-13 13:17:09.594 PWD < 2013-03-13 13:17:09.610 257 "/" . 2013-03-13 13:17:09.610 Got reply 1 to the command 16 . 2013-03-13 13:17:09.656 Getting current directory name. . 2013-03-13 13:17:09.844 Retrieving directory listing... > 2013-03-13 13:17:09.844 TYPE A < 2013-03-13 13:17:09.844 200 Switching to ASCII mode. > 2013-03-13 13:17:09.844 PASV . 2013-03-13 13:17:09.844 SSL3 alert write: fatal: protocol version . 2013-03-13 13:17:09.844 Disconnected from server . 2013-03-13 13:17:09.844 Could not retrieve directory listing . 2013-03-13 13:17:09.844 Got reply 1004 to the command 2 . 2013-03-13 13:17:09.968 Connecting to xx.xx.xx.xx ... . 2013-03-13 13:17:09.968 m_pSslLayer changed state from 0 to 1 . 2013-03-13 13:17:09.968 m_pSslLayer changed state from 1 to 2 . 2013-03-13 13:17:09.968 m_pSslLayer changed state from 2 to 4 . 2013-03-13 13:17:10.031 Connected with xx.xx.xx.xx, negotiating SSL connection... < 2013-03-13 13:17:10.031 220 (vsFTPd 2.2.2) > 2013-03-13 13:17:10.031 AUTH TLS < 2013-03-13 13:17:10.031 234 Proceed with negotiation. . 2013-03-13 13:17:10.031 SSL_connect: SSLv3 read server hello A . 2013-03-13 13:17:10.031 SSL_connect: SSLv3 read server certificate A . 2013-03-13 13:17:10.031 SSL_connect: SSLv3 read server certificate request A . 2013-03-13 13:17:10.031 SSL_connect: SSLv3 read server done A . 2013-03-13 13:17:10.031 SSL_connect: SSLv3 write client certificate A . 2013-03-13 13:17:10.031 SSL_connect: SSLv3 write client key exchange A . 2013-03-13 13:17:10.031 SSL_connect: SSLv3 write change cipher spec A . 2013-03-13 13:17:10.031 SSL_connect: SSLv3 write finished A . 2013-03-13 13:17:10.031 SSL_connect: SSLv3 flush data . 2013-03-13 13:17:10.046 SSL_connect: SSLv3 read server session ticket A . 2013-03-13 13:17:10.046 SSL_connect: SSLv3 read finished A . 2013-03-13 13:17:10.046 Using TLSv1, cipher TLSv1/SSLv3: AES256-SHA, 1024 bit RSA . 2013-03-13 13:17:10.093 SSL connection established. Waiting for welcome message... > 2013-03-13 13:17:10.093 USER myftpuser < 2013-03-13 13:17:10.093 331 Please specify the password. > 2013-03-13 13:17:10.093 PASS ********* < 2013-03-13 13:17:10.171 230 Login successful. > 2013-03-13 13:17:10.171 SYST < 2013-03-13 13:17:10.218 215 UNIX Type: L8 > 2013-03-13 13:17:10.218 FEAT < 2013-03-13 13:17:10.249 211-Features: < 2013-03-13 13:17:10.249 AUTH SSL < 2013-03-13 13:17:10.249 AUTH TLS < 2013-03-13 13:17:10.249 EPRT < 2013-03-13 13:17:10.249 EPSV < 2013-03-13 13:17:10.265 MDTM < 2013-03-13 13:17:10.265 PASV < 2013-03-13 13:17:10.265 PBSZ < 2013-03-13 13:17:10.265 PROT < 2013-03-13 13:17:10.265 REST STREAM < 2013-03-13 13:17:10.265 SIZE < 2013-03-13 13:17:10.265 TVFS < 2013-03-13 13:17:10.280 UTF8 < 2013-03-13 13:17:10.280 211 End > 2013-03-13 13:17:10.280 OPTS UTF8 ON < 2013-03-13 13:17:10.296 200 Always in UTF8 mode. > 2013-03-13 13:17:10.296 PBSZ 0 < 2013-03-13 13:17:10.327 200 PBSZ set to 0. > 2013-03-13 13:17:10.327 PROT P < 2013-03-13 13:17:10.358 200 PROT now Private. . 2013-03-13 13:17:10.405 Connected . 2013-03-13 13:17:10.405 Got reply 1 to the command 1 . 2013-03-13 13:17:10.405 Doing startup conversation with host. > 2013-03-13 13:17:10.468 PWD < 2013-03-13 13:17:10.499 257 "/" . 2013-03-13 13:17:10.499 Got reply 1 to the command 16 . 2013-03-13 13:17:10.530 Changing directory to "/". > 2013-03-13 13:17:10.530 CWD / < 2013-03-13 13:17:10.561 250 Directory successfully changed. . 2013-03-13 13:17:10.561 Got reply 1 to the command 16 . 2013-03-13 13:17:10.561 Getting current directory name. > 2013-03-13 13:17:10.561 PWD < 2013-03-13 13:17:10.592 257 "/" . 2013-03-13 13:17:10.592 Got reply 1 to the command 16 . 2013-03-13 13:17:10.655 Startup conversation with host finished. . 2013-03-13 13:17:10.873 Retrieving directory listing... > 2013-03-13 13:17:10.873 TYPE A < 2013-03-13 13:17:10.873 200 Switching to ASCII mode. > 2013-03-13 13:17:10.873 PASV . 2013-03-13 13:17:10.873 SSL3 alert write: fatal: protocol version . 2013-03-13 13:17:10.873 Disconnected from server . 2013-03-13 13:17:10.873 Could not retrieve directory listing . 2013-03-13 13:17:10.873 Got reply 1004 to the command 2 * 2013-03-13 13:17:11.092 (EFatal) Lost connection. * 2013-03-13 13:17:11.092 SSL3 alert write: fatal: protocol version * 2013-03-13 13:17:11.092 Disconnected from server * 2013-03-13 13:17:11.092 Could not retrieve directory listing * 2013-03-13 13:17:11.092 Switching to ASCII mode. * 2013-03-13 13:17:11.092 Error listing directory '/'.
Openssl connect on RHEL-VSFTPD server
[root@MY_SERVER vsftpd]# openssl s_client -connect xx.xx.xx.xx:21 -state -debug -tls1 -msg CONNECTED(00000003) SSL_connect:before/connect initialization write to 0x959b9b0 [0x95e104b] (113 bytes => 113 (0x71)) 0000 - 16 03 01 00 6c 01 00 00-68 03 01 51 40 7e b4 0a ....l...h..Q@~.. 0010 - d5 df 03 3d 9d f7 de b2-a4 43 36 8c 18 af 3d 25 ...=.....C6...=% 0020 - 22 93 e2 70 a5 8f 02 65-6f 23 a1 00 00 3a 00 39 "..p...eo#...:.9 0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a .8.....5........ 0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96 .3.2.....E.D./.. 0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11 .A.............. 0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23 ..............# 0071 - <SPACES/NULS> >>> TLS 1.0 Handshake [length 006c], ClientHello 01 00 00 68 03 01 51 40 7e b4 0a d5 df 03 3d 9d f7 de b2 a4 43 36 8c 18 af 3d 25 22 93 e2 70 a5 8f 02 65 6f 23 a1 00 00 3a 00 39 00 38 00 88 00 87 00 35 00 84 00 16 00 13 00 0a 00 33 00 32 00 9a 00 99 00 45 00 44 00 2f 00 96 00 41 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 02 01 00 00 04 00 23 00 00 SSL_connect:SSLv3 write client hello A read from 0x959b9b0 [0x95dcafb] (5 bytes => 5 (0x5)) 0000 - 32 32 30 20 28 220 ( write to 0x959b9b0 [0x95e6508] (7 bytes => 7 (0x7)) 0000 - 15 03 01 00 02 02 46 ......F >>> TLS 1.0 Alert [length 0002], fatal protocol_version 02 46 SSL3 alert write:fatal:protocol version SSL_connect:error in SSLv3 read server hello A 3079272172:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:338: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1363181236 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
