Cannot Connect to Remote Server with WinSCP 5.5.4 thru 5.7.3 Using Scripting Method via Command Line

Advertisement

MrWinFL37_2
Guest

Cannot Connect to Remote Server with WinSCP 5.5.4 thru 5.7.3 Using Scripting Method via Command Line

Cannot Connect to Remote Server with WinSCP 5.5.4 thru 5.7.3 Using Scripting Method via Command Line. Was able to connect with Version 5.5.1.

For almost 2 years, I have been uploading files to a business FTP Server, and suddenly I cannot connect to that server from the Command Line with a Script, ever since upgrading to WinSCP 5.5.4 thru 5.7.3. In the previous 2 years, I was using WinSCP 5.5.1, and pasted below is the section of the LOG file for when connections were successful with Version 5.5.1, as well as now that they are failing. The error is "TLS connect: error in SSLv2/v3 read server hello A
Can't establish TLS connection
Disconnected from server
However, I am able to connect with the GUI version and the same settings in "Sites", and perform uploads manually. Below are sections of the LOG file from the GUI with Ver 5.7.3, Command Line with Ver 5.7.3, and Command Line with Ver 5.5.1. All kinds of variations of the script's switches have been tried: such as -explicittls open ftp://
Here is the command line:
winscp.com /script=connectload_AS_0827.txt /log=log.txt
Here is the script:
option batch off
option confirm on
open ftps://UMAN5441:JKE78MNW1@onlinefileserver.metrodyg.com:20021/ -timeout=60 -explicitssl -passive=ON -certificate="0d:76:c4:f2:00:ad:5c:21:74:a1:88:2e:b3:0d:d8:a6:a8:79:81:ab"
lcd X:\
lcd X:\Large\Custom\Interface\SFTP\Metrodyg\FTPOUT
option transfer ascii
# Upload a file or multiple files to the local directory
put X:\Large\Custom\Interface\SFTP\Metrodyg\FTPOUT\AS_0827.txt /AR12345356/*.*
close
exit
After running the script I get following in console:
C:\Program Files (x86)\WinSCP>winscp.com /script=connectload_AS_0827.txt /log=log.txt
batch off
confirm on
Connecting to onlinefileserver.metrodyg.com:20021 ...
Connection failed.
TLS connect: error in SSLv2/v3 read server hello A
Can't establish TLS connection
Disconnected from server
Connection failed.
X:\
X:\ELITE\Custom\Interface\SFTP\Suntrust\FTPOUT
transfer ascii
No session.
No session.
Using WinSCP 5.7.3 on Windows Server 2008 R2 x64. Session log files are attached. The "Log.txt" file uses /log=log.txt switch. The "log_Accompanying_Logs.txt" file contains comparisons of the log file between GUI Mode 5.7.3 (which succeeds), Command Line 5.7.3 (which fails), and Command Line 5.5.1 (which succeeds).
Thank you

Contact Info: Robert.weston@Akerman.com
Username: MrWinFL37
  • log_Accompanying_Logs.txt (11.56 KB, Private file)
Description: Shows log entries of 5.7.3 GUI versus Command Line, and 5.5.1
  • log.txt (4.25 KB, Private file)
Description: 5.7.3 Only - failure.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
27,252
Location:
Prague, Czechia

Re: Cannot Connect to Remote Server with WinSCP 5.5.4 thru 5.7.3 Using Scripting Method via Command Line

It looks like your server does not support TLS, only SSL.
Since 5.6.2, WinSCP does not allow SSL by default, as it suffers many vulnerabilities, including CVE-2014-3566 (POODLE).

If you want to allow SSL anyway, use: open ... -rawsettings MinTlsVersion=3

See https://winscp.net/eng/docs/rawsettings

Reply with quote

tgice
Joined:
Posts:
2

FTPS reject unless MinTlsVersion used

I found this thread after updating to the latest version (I'm sure bridging the version that changed to by default make the MinTlsVersion > 3) where I was trying to login to an FTPS site like this:

WinSCP.com /command "open ftps://username:password@address"    

when I did this without the MinTlsVersion specification, I got this type of response:

Connecting to address:990 ...
Connection failed.
TLS connect: error in SSLv2/v3 read server hello A
Can't establish TLS connection
Disconnected from server
Connection failed.
then, when I ran:

WinSCP.com /command "open ftps://username:password@address -rawsettings MinTlsVersion=3"    

I got this response:

Connecting to address:990 ...
TLS connection established. Waiting for welcome message...
Connection failed.
Using SSLv3, cipher TLSv1/SSLv3: RC4-SHA, 512 bit RSA
Connection failed.
Transaction failed ... Service unavailable or rejected
Finally, I thought to try dropping the 'username:password@' part from the open command; once I did this, and included the MinTlsVersion setting above, finally I was able to connect. Hopefully this gives someone else another thing to try on their connections.

I should also mention that the password included a ';' character, if that might make any difference, otherwise everything was pretty straightforward (and used to work on the older versions). Not sure if this could be a bug or not.

Reply with quote

tgice
Joined:
Posts:
2

Solution?

Ah, finally I thought to try the same thing from the GUI (WinSCP.exe), setup a new connection with the same details and was surprised when it connected (I of course had to go into the Advanced options and set the MinTlsVersion down to 3 as on the command line).

I wondered how it worked then, so I right-clicked the new entry and chose "Generate Session URL" and noticed that that ";" character was replaced with "%3B" in the URL. Once I used that URL on the command line, it worked.

Of course I had to indicate that the password should be saved in the entry to see it come up in the URL like that (which of course is necessary when using this in an automated scripting environment).

I suppose that's the solution, but it might be nice if a warning was generated or something if an unescaped character is used in a login/password that needs to be escaped.

Reply with quote

Advertisement

You can post new topics in this forum