431 Failed to setup secure session.

Advertisement

akapl
Joined:
Posts:
5
Location:
Czech republc

431 Failed to setup secure session.

Hello, I just changed SSL certificate from SAN certificate to WILDCARD certificate, but now I cannot connect to any of FTPS instances. I'm getting following events in log file.
< 2020-11-30 01:06:33.825 220 
> 2020-11-30 01:06:33.825 AUTH TLS
< 2020-11-30 01:06:33.825 431 Failed to setup secure session.
> 2020-11-30 01:06:33.825 AUTH SSL
< 2020-11-30 01:06:33.825 431 Failed to setup secure session.
. 2020-11-30 01:06:33.825 Connection failed.
* 2020-11-30 01:06:33.910 (EFatal) Connection failed.
* 2020-11-30 01:06:33.910 Connection failed.
* 2020-11-30 01:06:33.910 Failed to setup secure session.
  • ftpfaktury.preventado.cz.log (11.38 KB, Private file)
Description: Server is behind NAT...

Reply with quote

Advertisement

akapl
Joined:
Posts:
5
Location:
Czech republc

Re: 431 Failed to setup secure session.

Hello Martin,
I found that new WILDCARD certificate which I got from customer is using sha384RSA algorithm. I didn't found much relevant informations about algorithms supported by IIS at W2K16 Server, but I think that this can be problem. I compared old SAN certificate, old WILDCARD certificate and new WILDCARD certificate and found only this one significant difference.

Martin, do you think that encrypt algorithm can be source of the problem? I think, that there is nothing wrong with WinSCP.
  • certs_algorithm.jpg (269.19 KB, Private file)
Description: First connection is with SAN certificate and then connection with new WILDCARD certificate.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,518
Location:
Prague, Czechia

Re: 431 Failed to setup secure session.

akapl wrote:

Martin, do you think that encrypt algorithm can be source of the problem? I think, that there is nothing wrong with WinSCP.
Can be, but I do not know.
What does the log show? I see some successful and some failed connections.
Did you try any other FTPS client?

Reply with quote

akapl

Re: 431 Failed to setup secure session.

I tried internal FTP client of Multi Commander with same result.

Successful connections was made with previous SAN Let's Encrypt certificate. Old WILDCARD certificate with sha256RSA works too..

Reply with quote

Advertisement

codepoet80
Guest

Re: 431 Failed to setup secure session.

akapl wrote:

Hello, I just changed SSL certificate from SAN certificate to WILDCARD certificate, but now I cannot connect to any of FTPS instances. I'm getting following events in log file.
< 2020-11-30 01:06:33.825 431 Failed to setup secure session.
I had the same problem, and managed to resolve. Posting here for anyone else who encounters this issue.
The root cause is that when changing the cert for your FTPS site it needs to be done in two different places. This happens ANY time you change the cert, even if its just a cert renewal -- it's not just for changing to wildcard certs.

The natural place to update the cert in IIS Manager is by selecting your FTP site on the Connections list on the left, then double clicking FTP SSL Settings. Do this first, change to your new cert, and apply.

Then go up near the top of the Connections and choose your server. Within your server's settings is ANOTHER "FTP SSL Settings" icon. Double click it, and repeat the steps. Make sure the site settings and server settings are the same, then re-try the connection from your client and it will work.

Reply with quote

Advertisement

You can post new topics in this forum