First, thank you WinSCP for the excellent product, which is why I choose to post this information to your site instead.
Solved:
IIS FTP Explicit SSL TLS 1.2 Windows Server 2008, 2012, 2016 using WinSCP.
My biggest challenge was enabling SSL 1.2 for the server websites, but still have a fully functional FTP SSL Server.
550 The supplied message is incomplete. The signature was not verified.
This error can occur when connecting to an FTPS server and files are being uploaded or downloaded or a list of files is being retrieved.
Difficult to figure out, but is such a simple fix.
First of all, enabling TLS 1.2 for the web services required editing the registry. You can create a reg file from import using the below between the lines. Make sure you reboot the server after importing the reg changes.
----------------------------------------------------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
----------------------------------------------------------------------------------------
Next the article that I searched for high and low that finally solved my FTP Server issues with the 550 The supplied message is incomplete and error the signature was not verified.
Thanks to:
https://help.2brightsparks.com/support/solutions/articles/43000336175-550-the-supplied-message-is-incomplete-the-signature-was-not-verified-
It simply works, I don't see it as a bug in Windows Server as much as an undocumented TLS 1.2 step, I do see it as a configuration change that needs to occur that should have been better documented.
This issue must be fixed on the Windows computer that is running the FTPS server:
- Run the Group Policy Editor (gpedit.msc)
- Go to Local Computer Policy --> Administrative Templates --> Network --> SSL Configuration Settings
- Move TLS_RSA_WITH_RC4_128_SHA to the top of the priority list. How to modify this setting:
- Open a blank notepad document.
- Copy and paste the list of available suites into it.
- Arrange the suites in the correct order; remove any suites you don't want to use.
- Place a comma at the end of every suite name except the last. Make sure there are NO embedded spaces.
- Remove all the line breaks so that the cipher suite names are on a single, long line.
- Copy the cipher-suite line to the clipboard, and then paste it into the edit box. The maximum length is 1023 characters.
The above registry import takes care of this: - Enable TLS 1.1 and/or TLS 1.2 on servers running Windows 7 or Windows Server 2008 R2. Refer to Microsoft Knowledge Base Article 2588513 to use the automated Microsoft Fix it solution to enable or disable this workaround for TLS 1.1.
- Reboot Windows. This is important.
Verified the FTP Client can connect and transfer files:
WinSCP, New Site, File Protocol = FTP, Encryption = Explicit, Advanced Settings, Connection, FTP Passive Mode Must Be Checked, TLS/SSL, Minimum TLS/SSL = 1.2 and Maximum TLS/SSL Version = 1.2.
Note if your FTP Server is behind a firewall appliance, you must set the outside IP in the IIS, Sites, FTP Site, FTP Firewall Support