SSL3 alert write: fatal: unexpected_message

Advertisement

akapl
Guest

SSL3 alert write: fatal: unexpected_message

Hello, I'm fighting with the strange issue...
I have running FTPS server at IIS (Microsoft Windows Server 2016 Standard), port 22.
This FTP site is not published to Internet, it is only for internal use of my customer.
This server is using self-signed certificate and domain LDAP authentication and authorization.
When I'm connecting to server through VPN from my laptop, everything is OK without any error (I am external IT consultant).
When my customer's employees try to connect to this server from their domain joined computers, they are able to log in, but then they got "TLS connect: error in SSLv2/v3 read server hello A" error and don't see any files or folders.
At their computers is installed WinSCP version 5.15.2 (build 9590).
I'm using portable version of WinSCP 5.13.6 (build 9061).

I tried to connect to server with the same portable version and INI file from my customer's computer and got the same error. Error is same at all customer's domain computers.
I cannot find where the problem is, because I don't know which settings are wrong....

Here is session log:

. 2019-06-13 15:44:33.383 --------------------------------------------------------------------------
. 2019-06-13 15:44:33.383 WinSCP Version 5.15.2 (Build 9590) (OS 10.0.17134 - Windows 10 Enterprise)
. 2019-06-13 15:44:33.383 Configuration: HKCU\Software\Martin Prikryl\WinSCP 2\
. 2019-06-13 15:44:33.383 Log level: Debug 1
. 2019-06-13 15:44:33.383 Local account: AD\kapl
. 2019-06-13 15:44:33.383 Working directory: C:\Program Files (x86)\WinSCP
. 2019-06-13 15:44:33.383 Process ID: 10848
. 2019-06-13 15:44:33.383 Command-line: "C:\Program Files (x86)\WinSCP\WinSCP.exe" 
. 2019-06-13 15:44:33.383 Time zone: Current: GMT+2, Standard: GMT+1 (Střední Evropa (běžný čas)), DST: GMT+2 (Střední Evropa (letní čas)), DST Start: 31.03.2019, DST End: 27.10.2019
. 2019-06-13 15:44:33.383 Login time: čtvrtek 13. červen 2019 15:44:33
. 2019-06-13 15:44:33.383 --------------------------------------------------------------------------
. 2019-06-13 15:44:33.383 Session name: @srv-svc1.ad.domain.cz (Site)
. 2019-06-13 15:44:33.383 Host name: srv-svc1.ad.domain.cz (Port: 22)
. 2019-06-13 15:44:33.383 User name: ad\mravenec (Password: No, Key file: No, Passphrase: No)
. 2019-06-13 15:44:33.383 Transfer Protocol: FTP
. 2019-06-13 15:44:33.383 Ping type: Dummy, Ping interval: 30 sec; Timeout: 15 sec
. 2019-06-13 15:44:33.383 Disable Nagle: No
. 2019-06-13 15:44:33.383 Proxy: None
. 2019-06-13 15:44:33.383 Send buffer: 262144
. 2019-06-13 15:44:33.383 UTF: Auto
. 2019-06-13 15:44:33.383 FTPS: Explicit TLS/SSL [Client certificate: No]
. 2019-06-13 15:44:33.383 FTP: Passive: Yes [Force IP: Auto]; MLSD: Auto [List all: Auto]; HOST: Auto
. 2019-06-13 15:44:33.383 Session reuse: Yes
. 2019-06-13 15:44:33.383 TLS/SSL versions: TLSv1.0-TLSv1.2
. 2019-06-13 15:44:33.383 Local directory: C:\Users\kapl\Documents, Remote directory: /, Update: Yes, Cache: Yes
. 2019-06-13 15:44:33.383 Cache directory changes: Yes, Permanent: Yes
. 2019-06-13 15:44:33.383 Recycle bin: Delete to: No, Overwritten to: No, Bin path: 
. 2019-06-13 15:44:33.383 Timezone offset: 0h 0m
. 2019-06-13 15:44:33.383 --------------------------------------------------------------------------
. 2019-06-13 15:44:33.399 Connecting to srv-svc1.ad.domain.cz:22 ...
. 2019-06-13 15:44:33.399 Connected with srv-svc1.ad.domain.cz:22, negotiating TLS connection...
< 2019-06-13 15:44:33.399 220 Microsoft FTP Service
> 2019-06-13 15:44:33.399 AUTH TLS
< 2019-06-13 15:44:33.415 234 AUTH command ok. Expecting TLS Negotiation.
. 2019-06-13 15:44:33.462 Verifying certificate for "" with fingerprint f5:54:e5:c6:a3:75:fa:42:56:11:fe:d4:8d:2e:3a:4a:e4:3c:01:ec and 20 failures
. 2019-06-13 15:44:33.462 Certificate common name "SRV-SVC1.ad.domain.cz" matches hostname
. 2019-06-13 15:44:33.462 Certificate for "" matches cached fingerprint and failures
. 2019-06-13 15:44:33.462 Using TLSv1.2, cipher TLSv1/SSLv3: ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA, ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
. 2019-06-13 15:44:33.462 Session upkeep
. 2019-06-13 15:44:33.477 TLS connection established. Waiting for welcome message...
> 2019-06-13 15:44:33.477 USER ad\mravenec
< 2019-06-13 15:44:33.477 331 Password required
. 2019-06-13 15:44:34.493 Session upkeep
. 2019-06-13 15:44:35.508 Session upkeep
. 2019-06-13 15:44:36.523 Session upkeep
. 2019-06-13 15:44:37.539 Session upkeep
. 2019-06-13 15:44:38.554 Session upkeep
. 2019-06-13 15:44:39.570 Session upkeep
. 2019-06-13 15:44:40.585 Session upkeep
. 2019-06-13 15:44:41.600 Session upkeep
. 2019-06-13 15:44:42.616 Session upkeep
. 2019-06-13 15:44:43.631 Session upkeep
. 2019-06-13 15:44:44.647 Session upkeep
> 2019-06-13 15:44:44.803 PASS ************
< 2019-06-13 15:44:44.818 230 User logged in.
> 2019-06-13 15:44:44.818 SYST
. 2019-06-13 15:44:44.834 The server is probably running Windows, assuming that directory listing timestamps are affected by DST.
< 2019-06-13 15:44:44.834 215 Windows_NT
> 2019-06-13 15:44:44.834 FEAT
< 2019-06-13 15:44:44.834 211-Extended features supported:
< 2019-06-13 15:44:44.834  LANG EN*
< 2019-06-13 15:44:44.834  UTF8
< 2019-06-13 15:44:44.834  AUTH TLS;TLS-C;SSL;TLS-P;
< 2019-06-13 15:44:44.834  PBSZ
< 2019-06-13 15:44:44.834  PROT C;P;
< 2019-06-13 15:44:44.834  CCC
< 2019-06-13 15:44:44.834  HOST
< 2019-06-13 15:44:44.834  SIZE
< 2019-06-13 15:44:44.834  MDTM
< 2019-06-13 15:44:44.834  REST STREAM
< 2019-06-13 15:44:44.834 211 END
> 2019-06-13 15:44:44.834 OPTS UTF8 ON
< 2019-06-13 15:44:44.849 200 OPTS UTF8 command successful - UTF8 encoding now ON.
> 2019-06-13 15:44:44.849 PBSZ 0
< 2019-06-13 15:44:44.865 200 PBSZ command successful.
> 2019-06-13 15:44:44.865 PROT P
< 2019-06-13 15:44:44.865 200 PROT command successful.
. 2019-06-13 15:44:44.881 Connected
. 2019-06-13 15:44:44.881 Got reply 1 to the command 1
. 2019-06-13 15:44:44.881 --------------------------------------------------------------------------
. 2019-06-13 15:44:44.881 Using FTP protocol.
. 2019-06-13 15:44:44.881 Doing startup conversation with host.
> 2019-06-13 15:44:44.897 PWD
< 2019-06-13 15:44:44.897 257 "/" is current directory.
. 2019-06-13 15:44:44.897 Got reply 1 to the command 16
. 2019-06-13 15:44:44.897 Changing directory to "/".
> 2019-06-13 15:44:44.897 CWD /
< 2019-06-13 15:44:44.912 250 CWD command successful.
. 2019-06-13 15:44:44.912 Got reply 1 to the command 16
. 2019-06-13 15:44:44.912 Getting current directory name.
> 2019-06-13 15:44:44.912 PWD
< 2019-06-13 15:44:44.928 257 "/" is current directory.
. 2019-06-13 15:44:44.928 Got reply 1 to the command 16
. 2019-06-13 15:44:44.928 Session upkeep
. 2019-06-13 15:44:44.975 Retrieving directory listing...
> 2019-06-13 15:44:44.975 TYPE A
< 2019-06-13 15:44:44.975 200 Type set to A.
> 2019-06-13 15:44:44.975 PASV
< 2019-06-13 15:44:44.990 227 Entering Passive Mode (10,10,10,10,23,66).
> 2019-06-13 15:44:44.990 LIST -a
. 2019-06-13 15:44:44.990 Connecting to 10.10.10.10:5954 ...
< 2019-06-13 15:44:45.006 150 Opening ASCII mode data connection.
< 2019-06-13 15:44:45.037 226 Transfer complete.
. 2019-06-13 15:44:45.037 SSL3 alert write: fatal: protocol version
. 2019-06-13 15:44:45.037 error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
. 2019-06-13 15:44:45.037 wrong version number
. 2019-06-13 15:44:45.037 TLS connect: error in error
. 2019-06-13 15:44:45.037 Can't establish TLS connection
. 2019-06-13 15:44:45.037 Could not retrieve directory listing
. 2019-06-13 15:44:45.037 Got reply 4 to the command 2
. 2019-06-13 15:44:45.037 LIST with -a failed, will try pure LIST
. 2019-06-13 15:44:45.037 Retrieving directory listing...
> 2019-06-13 15:44:45.037 TYPE A
< 2019-06-13 15:44:45.053 200 Type set to A.
> 2019-06-13 15:44:45.053 PASV
< 2019-06-13 15:44:45.053 227 Entering Passive Mode (10,10,10,10,23,67).
> 2019-06-13 15:44:45.053 LIST
. 2019-06-13 15:44:45.053 Connecting to 10.10.10.10:5955 ...
< 2019-06-13 15:44:45.068 150 Opening ASCII mode data connection.
< 2019-06-13 15:44:45.115 226 Transfer complete.
. 2019-06-13 15:44:45.115 TLS connect: error in SSLv2/v3 read server hello A
. 2019-06-13 15:44:45.115 Can't establish TLS connection
. 2019-06-13 15:44:45.115 Could not retrieve directory listing
. 2019-06-13 15:44:45.115 Got reply 4 to the command 2
* 2019-06-13 15:44:45.178 (ECommand) Error listing directory '/'.
* 2019-06-13 15:44:45.178 TLS connect: error in SSLv2/v3 read server hello A
* 2019-06-13 15:44:45.178 Can't establish TLS connection
* 2019-06-13 15:44:45.178 Could not retrieve directory listing
. 2019-06-13 15:44:46.193 Session upkeep
. 2019-06-13 15:44:47.208 Session upkeep
. 2019-06-13 15:44:47.661 Startup conversation with host finished.
. 2019-06-13 15:44:47.661 Session upkeep
. 2019-06-13 15:44:47.896 Session upkeep
. 2019-06-13 15:44:48.396 Session upkeep
. 2019-06-13 15:44:48.896 Session upkeep
. 2019-06-13 15:44:49.395 Session upkeep
. 2019-06-13 15:44:49.755 Got reply 1004 to the command 2
. 2019-06-13 15:44:49.755 Disconnected from server

(IP and domain name was been anonymized)

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,253
Location:
Prague, Czechia

Re: SSL3 alert write: fatal: unexpected_message

Is the IP address in the "227 Entering Passive Mode" message correct?

Btw: IIS does not support SFTP protocol. You have FTPS (FTP over TLS/SSL) server running, not SFTP. You should use FTP port 21. Port 22 is for SSH/SFTP. Your setup is confusing.

Reply with quote

Guest

Re: SSL3 alert write: fatal: unexpected_message

martin wrote:

Is the IP address in the "227 Entering Passive Mode" message correct?

Btw: IIS does not support SFTP protocol. You have FTPS (FTP over TLS/SSL) server running, not SFTP. You should use FTP port 21. Port 22 is for SSH/SFTP. Your setup is confusing.

Yes, that IP is anonymized too, but original it is pointed to the right IP address.
I know, nowhere I wrote SFTP... Server is FTPS. Problem is that this is the second instance of FTPS server. I'm using port 21 for the first instance, so I must use for this second instance ort 22. Is it clear?

I tried to connect from customer's computer to this instance with FTP Rush client and everything is working.... so I don't know where is the problem.

Reply with quote

Guest

Re: SSL3 alert write: fatal: unexpected_message

I tried to connect from customer's computer to this instance with FTP Rush client and everything is working.... so I don't know where is the problem.

Our log files are looking extremely similar to this one and I'm wondering if you ever determined the root cause? We have set up a FTP in IIS 10 on Windows Server 2016. We can connect alright from inside the server. Basically, from outside the server we never get the directory listing successfully.

. 2019-10-09 15:05:40.993 Retrieving directory listing...
> 2019-10-09 15:05:40.993 TYPE A
< 2019-10-09 15:05:40.993 200 Type set to A.
> 2019-10-09 15:05:40.993 PASV
< 2019-10-09 15:05:41.009 227 Entering Passive Mode (XX,XXX,XX,XXX,23,201).
> 2019-10-09 15:05:41.009 LIST -a
. 2019-10-09 15:05:41.009 Connecting to XX.XXX.XX.XXX:6089 ...
. 2019-10-09 15:05:41.009 Data connection opened
. 2019-10-09 15:05:41.009 Trying reuse main TLS session ID
. 2019-10-09 15:05:41.009 TLS layer changed state from none to connected
< 2019-10-09 15:05:41.009 150 Opening ASCII mode data connection.
. 2019-10-09 15:05:41.025 SSL3 alert write: fatal: protocol version
. 2019-10-09 15:05:41.025 error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
. 2019-10-09 15:05:41.025 wrong version number
. 2019-10-09 15:05:41.025 Main TLS session ID not reused, will not try again
. 2019-10-09 15:05:41.025 TLS connect: error in error
. 2019-10-09 15:05:41.025 Can't establish TLS connection
. 2019-10-09 15:05:41.025 Could not retrieve directory listing
. 2019-10-09 15:05:41.025 Got reply 4 to the command 2

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,253
Location:
Prague, Czechia

Re: SSL3 alert write: fatal: unexpected_message

Our log files are looking extremely similar to this one and I'm wondering if you ever determined the root cause? We have set up a FTP in IIS 10 on Windows Server 2016. We can connect alright from inside the server. Basically, from outside the server we never get the directory listing successfully.
What version of WinSCP are you using? Can you connect with any other FTP client?

Reply with quote

Advertisement

You can post new topics in this forum